Breach Notification , Healthcare , Industry Specific
Change Healthcare's Breach Costs Could Reach $2.5 Billion
Costs Have Already Hit $2 Billion, Parent Company UnitedHealth Group ReportsThe cost of the Change Healthcare breach has reached $2 billion, parent company UnitedHealth Group told investors.
See Also: How AI-Driven Identity Security Enables Clinician Autonomy
The Minnesota-based health insurance and services firm on Tuesday reported second-quarter earnings of $7.9 billion, which reflects $1.1 billion in costs for that quarter due to "unfavorable cyberattack effects" from the hit on Change Healthcare, which is part of its Optum business unit.
Costs tied to the February ransomware attack reached $1.98 billion as of June 30, including $1.3 billion in "direct costs," and total costs are likely to hit $2.3 billion to $2.45 billion, UHG said.
Costs have included "restoring the clearinghouse platform and other response efforts," as well as "higher medical expenses directly stemming from the temporary pause of some care management activities," John F. Rex, UHG's president and chief financial officer, said on a Tuesday earnings call.
Even so, UHG reported second-quarter revenues that increased by 6% year on year to reach $98.9 billion, and much of that revenue was driven by its Optum group.
"The company has restored the majority of the affected Change Healthcare services while continuing to provide financial support to the remaining healthcare providers in need," UHG said. "To date, the company has provided over $9 billion in advance funding and interest-free loans to support care providers."
Following the earnings call, the value of the company's stock closed nearly 7% higher for the day.
The company continues to respond to the February attack by ransomware-wielding hackers against Change Healthcare, a medical billing intermediary that handles about 6% of all U.S healthcare system payments, resulting in major disruptions for healthcare providers across the nation.
UHG said it first detected the breach on Feb. 21. The breach appears to have begun on Feb. 17 when attackers accessed a Citrix remote access service that the company failed to protect using multifactor authentication (see: Multifactor Authentication Shouldn't Be Optional).
Costs tied to the attack include UHG paying a $22 million ransom to the Russian-speaking ransomware group Alphv - aka BlackCat - after it claimed to have stolen 6 terabytes of the company's data.
BlackCat's operators subsequently shut down their group and kept all of the money, rather than sharing the ransom with the affiliate who hacked Change. In response, the affiliate appears to have taken the data to another ransomware-as-a-service group, RansomHub, and demanded a fresh ransom from Change. Whether UHG also acceded to the second ransom demand isn't clear.
Last month, UHG said it had nearly completed its review of the stolen data to identify affected individuals and had begun to notify all affected individuals, including on behalf of Change's customers, unless those organizations opt out. All affected individuals should be notified by the end of July, UHG said.
While the company hasn't yet said how many individuals in total it expects to notify, up to one-third of the U.S. population, which stands at approximately 333 million people, might be affected by the attack, Andrew Witty, CEO of UHG, testified in May before two congressional committees (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).
Information stolen from Change varies for every individual involved, UHG said, but can include an individual's name, birthdate, employer, Social Security number and email address, as well as details pertaining to medical diagnoses, medicines, test results, images, care and treatment. Some individuals' financial or payment card information may have been exposed, as well as driver's license and passport numbers, details of billing claims and other sensitive information.
Multiple state attorneys general have urged potentially affected consumers to stay vigilant against identity theft and fraud, given how the stolen information could be misused.