United Healthcare’s Change Healthcare unit has reportedly paid $22 million to recover data and regain access to systems, according to the latest news updates.
The cryptocurrency transaction was visible on Bitcoin’s blockchain and suggests the company which is victim of what now ranks as one of the worst ransomware attacks in years, paid the ransom to ALPHV, also known as BlackCat. The cyberattack, which began February 21, caused widespread outages, disrupting critical healthcare operations nationwide. The ransom was one of the largest in the history of ransomware, according to cybersecurity experts.
“On Feb. 21, 2024, we discovered a threat actor gained access to one of our Change Healthcare environments,” Change Healthcare officials said. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”
Many hospitals, such as the Minnesota Hospital Association, said the ongoing systems outage means many hospitals can’t get their claims for payment processed by health insurers or estimate costs for patients. And smaller mental health providers said they couldn’t submit claims, causing delays that could impede them making payroll.
The ransomware attack against Change Healthcare, which is responsible for processing half of all medical claims in the U.S., has been one of the most disruptive in years, and also crippled pharmacies nationwide, including those in hospitals, leading to delays in the delivery of prescription drugs. Many consumers were forced to pay cash for their prescription drugs as the outage impacted payment processes.
UnitedHealth Group Chief Operating Officer Dirk McMahon said during a conference call with hospital cybersecurity officials that the company is setting up a loan program to help providers who can’t submit insurance claims while Change is offline. The program will last for at least a few weeks while systems are down.
The cyberattack and system outage at Change Healthcare has caught the attention of federal law enforcement agencies. The FBI, Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services participated in a call in late February with executives from UnitedHealth, the American Hospital Association, and the Health Information Sharing and Analysis Center, which is a group of hospitals, insurers, and other health care companies that share information on cyber threat.
The outage is costing some health care providers over $100 million a day, according to an estimate from digital health risk assurance firm First Health Advisory.
American Hospital Association President and CEO Rick Pollack called the cyberattack “the most serious incident of its kind leveled against a U.S. health care organization.”
