The Russia-based cybercriminals who attacked a UnitedHealth Group-owned company in February did not walk away from the endeavor empty-handed.
“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” a UnitedHealth Group spokesperson confirmed with CBS News late Monday.
The spokesperson did not disclose how much the health giant paid after the cyberattack, which shut down operations at hospitals and pharmacies for more than a week.
Multiple media sources have reported that UnitedHealth paid $22 million in the form of bitcoin.
The scale of the attack — Change Healthcare processes 15 billion transactions a year, according to the American Hospital Association —meant that even patients weren’t customers of UnitedHealth were potentially affected.
The attack has already cost UnitedHealth Group nearly $900 million, company officials said in reporting first-quarter earnings last week.
The Change Healthcare incident was “straight out an attack on the U.S. health system and designed to create maximum damage,” Witty told analysts during an earnings call last week.
Ultimately, the cyberattack is expected to cost UnitedHealth between $1.3 billion and $1.6 billion this year, the company projected in its earnings report.
Cybercriminals with a base in Russia that assaulted a business owned by UnitedHealth Group in February weren’t satisfied with their efforts.
A UnitedHealth Group spokesperson confirmed with CBS News late on Monday that “a ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.”.
The spokesman withheld the amount that the health giant paid following the cyberattack that caused hospitals and pharmacies to close for over a week. UnitedHealth reportedly paid $22 million in bitcoin, according to numerous media outlets.
UnitedHealth CEO Andrew Witty said in a statement on Monday, “We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it.”.
UnitedHealth attributed the breach to the Russian ransomware group BlackCat, also known as ALPHV. The group took credit for the attack and said it had taken over six terabytes of data from Change Healthcare, which handles health insurance claims for patients who visit clinics, hospitals, and pharmacies. Among the data they allegedly stole were “sensitive” medical records.
The attack was so large that even patients who were not UnitedHealth customers could have been impacted—Change Healthcare, according to the American Hospital Association, processes 15 billion transactions annually. UnitedHealth Group has already lost almost $900 million as a result of the attack, the company reported last week when releasing its first-quarter earnings.
In the health care sector, ransomware attacks—which entail taking down a target’s computer systems—have grown more frequent. A 2022 study published in JAMA Health Forum claims that from 2016 to 2021, the yearly number of ransomware attacks against hospitals and other providers doubled.
“A clear-cut attack on the U.S. government” was the Change Healthcare incident. s. Witty stated to analysts last week during an earnings call that the health system was “designed to create maximum damage.”. According to the company’s earnings report, UnitedHealth anticipates that the cyberattack will ultimately cost it between $1 and $6 billion this year.
