May 8, 2024 By Jonathan Reed 3 min read

The impact of the recent Change Healthcare cyberattack is unprecedented — and so are the costs. Rick Pollack, President and CEO of the American Hospital Association, stated, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.”

In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1 billion or more.

Change Healthcare hacked

In late February, the ALPHV/BlackCat ransomware gang claimed responsibility for hacking Change Healthcare. The intruders disrupted operations and exfiltrated up to 4TB of data, including personal information, payment details, insurance records and other sensitive information. This led to a non-verified ransomware payment of $22 million.

Change Healthcare plays a central role in 15 billion transactions and $1.5 trillion in healthcare claims annually. After the attack, the company had to shut down key operations, and getting systems fully back online has been difficult.

Immense cost of data breach

The Change Healthcare cyberattack places the survival of many healthcare practices at risk due to delays in patient care and reimbursement. The incident has led to massive repercussions across the U.S. healthcare industry.

“The cyber impacts in the quarter totaled about $870 million,” said John Rex, President and Chief Financial Officer of UnitedHealth Group at the recent earnings call.

“Of the $870 million, about $595 million were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities. For the full year, we estimate these direct costs at $1 billion to $1.15 billion,” Rex continued.

Explore the Threat Intelligence Index report

Ripple effect

Part of the costs of the Change Healthcare incident include a payout of more than $2 billion to help healthcare providers who have been affected by the cyberattack. However, this may not be enough to help some practices reeling from the impact.

A survey conducted by the American Medical Association (AMA) showed the extent of the damage. In percentage of surveyed practices affected:

  • 36% have seen claims payments suspended
  • 32% have not been able to submit claims
  • 77% of respondents said they experienced service disruptions
  • 80% of providers said they lost revenue from unpaid claims
  • 78% lost revenue from claims that they have been unable to submit
  • 55% have used personal funds to cover expenses incurred as a result of the attack

In the survey, some practitioners shared their pain in words, in comments such as “This cyberattack is leading me to bankruptcy, and I am just about out of cash.” Other respondents said, “This crippled our brand new practice. I am keeping the lights on using personal funds.” Another practitioner said that the incident may bankrupt their “practice of 50 years” in a rural community.

Heavy legal burden

While not specifically mentioned in the UnitedHealth Group earnings call, the legal fees associated with the hack will be steep. To soften the blow, Change Healthcare wants to consolidate 24 class-action lawsuits, according to a recent court filing.

The UnitedHealth Group subsidiary asked a judicial panel to combine the suits and centralize them in the federal U.S. District Court for the Middle District of Tennessee — where Change Healthcare is headquartered. The company argues that the cases share factual and legal claims and that consolidating would preserve court resources.

Where will the pain end?

If the first hack wasn’t bad enough, fresh reports have surfaced that Change Healthcare is being extorted again by another group called RansomHub. Multi-phase extortion ransomware attacks like this are all too common as intruders attempt to double down on their demands.

In this case, the second extortion appears to be an ALPHV affiliate that likely participated in a Ransomware-as-a-Service type of scheme where multiple actors participate in the attack. Leaked screenshots appear to show Change Healthcare data and files, including patient data. The group states it will sell the stolen data to the highest bidder if Change Healthcare refuses to negotiate payment.

It’s not clear if this second extortion attempt was included in the cost analysis. Either way, the Change Healthcare attack will go down in history as one of the most costly data breaches ever. As Congress members wrote, “The breach of Change was tantamount to targeting the health care system in its entirety.”

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today