3rd Party Risk Management , Fraud Management & Cybercrime , Ransomware
Change Healthcare Attack Cost Estimate Reaches Nearly $2.9B
Most IT Restored, But UHG Is Still Catching Up and Aiming to Win Back ClientsUnitedHealth Group has raised its estimates to nearly $2.9 billion for the total costs this fiscal year of the cyberattack on its Change Healthcare IT services unit. So far, the incident has cost $2.5 billion, which is what the company in July predicted would be the total cost for the year.
See Also: OnDemand | How to Use Data Threat Analytics to Fight Ransomware
UHG made the disclosures on Tuesday in its financial results for the third-quarter and nine-month period of fiscal 2024, which ended on Sept. 30.
UHG executives also told Wall Street analysts in an earnings call Tuesday that Change Healthcare's IT systems are mostly restored and the company is working to win back customers that were disrupted by the attack and sought services from alternative vendors.
"We're not only trying to bring volume back into our current customers. We're also working to bring new clients in, and that's exciting because this event has really transformed the marketplace," Roger Connor, CEO of UHG's Optum Insight division said during the call. "They're looking for … access to innovation, access to security in the system, and that's what we've brought back. We've brought back a very secure system, and that is resonating. We're seeing that momentum."
Despite the impact of the ransomware attack on Change Healthcare, UHG revenue in the third-quarter still grew to nearly $101 billion, up by $8.5 billion from the same period last year. UHG said that growth was "led by strong expansion in people served at Optum and UnitedHealthcare."
Third-quarter earnings from operations were $8.7 billion, including the impact of about $300 million in "unfavorable cyberattack effects," the Minneapolis, Minnesota-based company said. But that's still up from $8.5 billion in earnings reported in the same quarter in 2023.
Nonetheless, the company said it adjusted its net earnings outlook for the 2024 fiscal year to $27.50 to $27.75 per share, which is down slightly from the top-end of the $27.50 to $28.00 range projected nearly a year ago.
That adjustment reflects an estimated 75 cents per share of business disruption impacts for the affected Change Healthcare services, which have risen about 10 cents per share versus what was estimated last quarter, the company said.
Business disruptions related to the cyberattack cost UHG about $134 million in the third-quarter and about $747 million in the nine-month period ending Sept. 30.
Total direct response costs related to the cyberattack were $341 million in the third-quarter, and $1.7 billion in the nine-month period.
For the fiscal 2024 year ending Dec. 31, UHG is now estimating the total financial impact of the cyberattack to be $2.87 billion, or about $370 million higher than projected in July.
"Business disruption largely encompasses the loss of revenues combined with the cost of keeping these capabilities fully ready to serve," said John Rex, UHG president and CFO during the call with Wall Street analysts.
"These effects are not excluded from adjusted earnings. We continue to work with customers to bring transaction volumes back to pre-event levels and to win new business with our now more modern, secure and capable offerings," he said.
Change Healthcare continues to work on restoring all IT services affected by the incident, and the company is still aiming to bring back all clients who disconnected and found alternative vendors during the disruption.
"From a reconnection perspective, customers are coming back," Connor said.
"We're actually making good progress there. What we're seeing is the volume that's coming back isn't coming back to the pre-attack levels," Connor told financial analysts. "Customers are really looking for vendor redundancy, what they're out there looking for is in another one or two sources of their software systems," he said.
"Now we understand that. We think that's a good thing for the health system, but that is having an impact on us this year," he said. "But that also creates an opportunity for us. We've got an opportunity to go out and get new customers or sales and become an additional supplier for them," Connor said.
UHG expects to "build back the business to pre-attack levels over the course of '25 and estimate next year's full-year impact will be roughly half of the '24 level," Rex said.
During the height of the response phases of the cyberattack, UHG provided more than $8.9 billion in temporary financial assistance to entities affected by disruptions in claims processing and payments. So far those providers have repaid about $3.2 billion of the loans.
As UHG continues to work in bringing back customers that disengaged during the long attack recovery - as well as win new clients, the company also plans to optimize some of the new IT that replaced its previous environment - and to innovate, including through artificial intelligence.
"That's where we can help and provide their solutions. That's where I'm actually most excited - what we're going to do in innovation and what we're doing in innovation to accelerate currently, because we're building off that new modernized tech environment that we've built this year," Connor said.
"And we're using AI to not only transform the functionality of our current products, like payment integrity revenue cycle, but to create these differentiated products and creating this exciting portfolio of AI-driven innovations."
Change Healthcare's ransomware attack in February disrupted business and clinical-related operations of thousands of healthcare entities across the U.S. The incident appears to have begun on Feb. 17 when attackers accessed a Citrix remote access service that the company failed to protect using multifactor authentication (see: Multifactor Authentication Shouldn't Be Optional).
UHG admitted paying a $22 million ransom to the Russian-speaking ransomware group Alphv - aka BlackCat - after it claimed to have stolen 6 terabytes of the company's data (see: UnitedHealth CEO: Paying Ransom Was Hardest Decision Ever).
BlackCat's operators subsequently shut down their group and kept all of the money, rather than sharing the ransom with the affiliate who hacked Change. In response, the affiliate appears to have taken the data to another ransomware-as-a-service group, RansomHub, and demanded a fresh ransom from Change. Whether UHG also acceded to the second ransom demand isn't clear.
Change Healthcare reported the hacking incident to federal regulators in July as a HIPAA breach affecting 500 individuals - a placeholder estimate (see: Why Did Change Health Lowball its 1st Breach Report to Feds?).
UHG CEO Andrew Witty had testified in May before two Congressional committees that the incident actually potentially affected about one-third of the U.S. population. That could mean that up to 100 million individuals are affected (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).
But as of Wednesday, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website still lists the Change Healthcare breach as affecting only 500 people.
UHG in a statement to Information Security Media Group said it is still investigating the incident.
"We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages," UHG said.
"More than 90% of the affected files have been reviewed. We are committed to notifying potentially impacted individuals as quickly as possible and immediately provided support and protections to people concerned about their data potentially being impacted," UHG said.
Change Healthcare also continues to update the status of the event and is in regular communication with HHS' Office for Civil Rights and other regulators regarding the breach notification process. As part of its incident response, UHG offered to handle breach notification duties for affected clients.
UHG did not immediately respond to ISMG's request for an updated estimate about how many individuals were actually affected, or the number of clients that took UHG up on the offer to handle breach reporting.