UnitedHealth: $2B Cyber Hit

UnitedHealth said on July 16, 2024 that the Change Healthcare cyberattack would cost it $2.3 billion to $2.45 billion in 2024, even as it posted $4.2 billion in second-quarter profit. (unitedhealthgroup.com) The company reported $98.9 billion in second-quarter revenue and $4.54 in earnings per share. It said cyberattack effects alone cut second-quarter results by $0.92 a share. (unitedhealthgroup.com) UnitedHealth raised its estimate for the full-year hit after adding higher direct response costs, provider support and consumer notification expenses. It said the total 2024 impact had risen to $1.90 to $2.05 a share, with direct response costs of $1.30 to $1.35 a share. (unitedhealthgroup.com) Change Healthcare is not a consumer brand, but it is a central switchboard for the medical payment system. Senate Finance Committee Chair Ron Wyden said in May 2024 that the company processes about 15 billion healthcare transactions a year and touches a third of Americans’ patient records. (finance.senate.gov) That scale turned one ransomware attack into a nationwide cash-flow crisis for hospitals, doctors and pharmacies. The American Hospital Association said the February 2024 outage disrupted care, claims, eligibility checks and provider finances on an “unprecedented national scale.” (aha.org) UnitedHealth said it had restored most affected Change Healthcare services by mid-July 2024 and had provided more than $9 billion in advance funding and interest-free loans to care providers. The company kept its adjusted 2024 earnings outlook at $27.50 to $28.00 a share. (unitedhealthgroup.com) The attack began on February 21, 2024, when UnitedHealth disclosed that a suspected nation-state-associated threat actor had gained access to Change systems. The company said it isolated affected technology systems immediately to contain the intrusion. (sec.gov) Chief executive Andrew Witty told Congress on May 1, 2024 that UnitedHealth later paid a $22 million ransom in Bitcoin. He said patients and providers had suffered real disruption and apologized for the fallout. (cnbc.com) Federal regulators treated the breach as more than an earnings problem. The United States Department of Health and Human Services said its Office for Civil Rights opened investigations into Change Healthcare and UnitedHealth because of the attack’s “unprecedented magnitude” and possible exposure of protected health information. (hhs.gov) The quarter showed how much damage a cyberattack can do without knocking down a giant company’s profits. It also showed how deeply one back-office vendor is woven into the daily plumbing of American healthcare. (unitedhealthgroup.com)