UnitedHealth Says Change Healthcare Ransomware Attack Cost $872 Million

UnitedHealth Group disclosed in its first-quarter earnings report that the February ransomware attack against subsidiary Change Healthcare cost the company $872 million, with total exposure expected to exceed $1.6 billion before the year is out.

The attack, attributed to the ALPHV/BlackCat ransomware-as-a-service operation, crippled Change Healthcare — the country's largest medical claims clearinghouse, which processes roughly 14 billion transactions annually. Pharmacies across the United States were unable to verify insurance eligibility for days, and some independent practices reported running short on cash to make payroll.

CEO Andrew Witty told the Senate Finance Committee that ALPHV affiliates gained initial access using credentials for a remote-access portal that lacked multi-factor authentication. UnitedHealth confirmed it paid a $22 million ransom — a payment that ALPHV's operators allegedly absconded with, leaving their affiliate empty-handed in what researchers describe as an exit-scam by the ransomware operators.

The stolen data included protected health information for what UnitedHealth estimates to be a "substantial proportion" of Americans — potentially as many as one in three. The company is funding a multi-year notification and credit-monitoring program.

The attack has been described by HHS and CISA as one of the most consequential cyberattacks against U.S. healthcare infrastructure on record, and has accelerated regulatory proposals to mandate baseline security controls — including phishing-resistant MFA — for HIPAA-covered entities.