Change Healthcare cyberattack updates detail massive impact, costs

The personally identifiable information and protected health information for “a substantial proportion of people in America” might have been among the compromised files, UnitedHealth said Monday in a press release announcing preliminary findings from its investigation.

Change Healthcare, a unit within UnitedHealth’s Optum, processes 15 billion financial and other transactions annually for doctors, hospitals, pharmacies, and other health entities in the United States. The cyberattack in February slowed health claims processing to a crawl nationwide, which has meant long delays in payment for many providers, including those relying on federal Medicare payments.

Some of the hacked data was stolen by ransomware group ALPHV, and the company was rumored to have paid $22 million for it to be released. Data is apparently still not back with UnitedHealth because another group, RansomHub, is demanding payment from the company, according to a report from Wired.

The cyberattack cost UnitedHealth $872 million in the first quarter, the company reported last week in its Q1 results. It expects to spend up to $1.6 billion by year’s end. The company has so far provided more than $6 billion in no-interest loans to providers and customers impacted.

The company has not yet issued an official breach notification. The Department of Health and Human Services’ Office for Civil Rights is investigating whether Change Healthcare violated the breach notification requirements of the Health Insurance Portability and Accountability Act.

UnitedHealth said it will take several more months to analyze the impact of the cyberattack before it will start notifying impacted companies and individuals. The company will contact stakeholders “when there is sufficient information for notifications,” it said.

The U.S. House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations doesn’t want to wait for answers: It summoned UnitedHealth Chief Executive Andrew Witty to testify May 1.

“Americans are still dealing with the fallout of the Change Healthcare hack. Individuals and smaller providers, in particular, have struggled financially following the cyberattack, threatening critical access for patients,” said Reps. Cathy McMorris Rodgers (R-Wash.) and Morgan Griffith (R-Va.) in a press release.

UnitedHealth characterized the claims processing crisis as nearly resolved and said medical claims are being processed at “near-normal levels” as a result of systems coming back online and providers using alternative methods of submitting claims.

But the American Medical Association said Monday that the attack was still “disrupting healthcare and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the healthcare industry.”

“The core story at UnitedHealth Group remains our colleagues delivering improved experiences for the people we serve and driving balanced growth even while swiftly and effectively addressing the attack on Change Healthcare,” said Witty in the company’s Q1 results.