UnitedHealth cyber costs top $2 billion

UnitedHealth said the Change Healthcare cyberattack has now cost more than $2 billion, even as the company says its core business stayed profitable. (unitedhealthgroup.com) The company disclosed the higher tally with its second-quarter 2024 results on July 16, 2024, after putting first-quarter cyberattack effects at $872 million three months earlier. UnitedHealth also said it had provided more than $9 billion in advance funding and interest-free loans to providers hit by the outage. (unitedhealthgroup.com) The attack hit Change Healthcare, the claims-and-payments middleman that moves billing data between doctors, pharmacies, hospitals and insurers. UnitedHealth said on February 21, 2024 that it identified the intrusion, isolated affected systems and began shutting parts of the network to contain it. (sec.gov) That shutdown spread fast through the health system because Change handles a huge share of electronic claims and payment traffic. The Department of Health and Human Services said the incident had an “unprecedented magnitude” and opened investigations into Change Healthcare and UnitedHealth Group. (hhs.gov) UnitedHealth spent the spring restoring pharmacy claims, electronic payments and other clearinghouse functions while doctors and hospitals complained they could not get paid on time. By March 18, the company said it had already advanced more than $2 billion to providers to keep practices operating. (unitedhealthgroup.com) Chief Executive Andrew Witty told the Senate Finance Committee on May 1, 2024 that UnitedHealth paid a ransom after the breach. He also said the attackers got in through a portal that did not have multifactor authentication, an extra login check meant to block stolen-password access. (finance.senate.gov, cnbc.com, cbsnews.com) The privacy fallout kept growing after the systems came back online. In an April 22, 2024 update, UnitedHealth said the stolen files could cover a “substantial proportion” of people in America, and federal health officials later said Change notified them that about 190 million individuals were impacted. (unitedhealthgroup.com, hhs.gov) Even with the cyber costs climbing, UnitedHealth told investors in July 2024 that it was affirming its full-year adjusted earnings outlook. The company’s second-quarter release said revenues rose to $98.9 billion and earnings from operations reached $7.9 billion. (unitedhealthgroup.com) The result is a split picture: a cyberattack that disrupted payments across U.S. healthcare, and a parent company still generating billions in operating profit. UnitedHealth’s own filings show the bills for the breach kept rising long after the first systems were restored. (unitedhealthgroup.com, sec.gov)