UnitedHealth Group, the Minnesota-based health insurance giant, recently announced its second quarter results, revealing a stark financial impact from the cyberattack on Change Healthcare. The company now estimates the total cost of the breach to be between $2.3 billion and $2.45 billion in 2024. This figure is a significant increase of $1 billion from earlier projections, highlighting the far-reaching consequences of cyber incidents on large enterprises.
Change Healthcare, a key player in healthcare technology and a subsidiary of UnitedHealth Group, fell victim to a cyberattack that compromised sensitive data and disrupted operations. The breach, which came to light in early 2024, involved sophisticated hacking techniques that targeted the company's extensive database and infrastructure.
The attack not only exposed critical patient information but also impacted the operational capabilities of healthcare providers relying on Change Healthcare's services. The breach's scale and complexity have made it one of the most significant cyber incidents in the healthcare sector in recent years.
"The Change Healthcare breach is a watershed event, in my opinion. Acquiring a payments gateway like Change was a smart move by Cigna—in the 'old days' of just a few years ago! But in the current environment of supply chain and third-party risk, this small corner of UHG's total portfolio represented an outsized risk for them," said Glenn Kapetansky, Senior Principal and Chief Security Officer at Trexin. "Even the current $2+B estimate doesn't account for civil lawsuits from smaller providers who had to downsize or go out of business because they could not meet payroll. Going forward, the cyber/privacy risk of acquisitions will be weighted much more heavily, and first-year acquisition costs will increase to account for risk remediation."
The updated cost estimate of $2.3 to $2.45 billion—the total full-year 2024 impact is estimated at $1.90 to $2.05 per share—includes a range of direct and indirect expenses related to the cyberattack, according to a UHG press release:
- Data Breach Response and Mitigation: Immediate costs associated with identifying and responding to the breach, including hiring cybersecurity experts, conducting forensic investigations, and implementing remediation measures.
- Operational Disruptions: Costs incurred from the temporary shutdown of services, loss of productivity, and delays in processing healthcare transactions.
- Regulatory Fines and Legal Fees: Potential fines from regulatory bodies for non-compliance with data protection laws, as well as legal fees arising from lawsuits and settlements.
- Customer Compensation and Support: Expenses related to notifying affected individuals, providing credit monitoring services, and compensating customers for any damages incurred.
- Reputational Damage: Though harder to quantify, the long-term impact on UnitedHealth Group's reputation could lead to lost business opportunities and decreased customer trust.
"The Change Healthcare breach is a painful reminder that attackers aren't breaking into our most sensitive systems as much as they are logging in," said Rom Carmel, Co-Founder and CEO at Apono. "The public has grown to expect that the companies that hold their most sensitive information will take key steps to make it difficult to access this data. Unfortunately, we saw the results of the failure to implement basic security protections, with the impacted servers failing to have MFA enabled and open-ended access available for the attackers to abuse."
Several factors have contributed to the revised cost estimate, underscoring the dynamic and escalating nature of cyberattack repercussions, including: the complexity of the breach necessitated prolonged remediation efforts, increasing costs beyond initial projections; further investigations revealed that more data was compromised than initially thought, amplifying the scope of the breach and associated costs; as regulatory bodies intensify their investigations, additional fines and compliance costs have emerged; and the discovery of more extensive damages has led to higher than anticipated legal fees and settlements.
[RELATED: Healthcare Hack: UnitedHealth Pays Ransom, Reports $872M in Losses]
The financial toll of the Change Healthcare cyberattack serves as a stark reminder of the vulnerabilities and risks within the healthcare sector. As healthcare organizations increasingly rely on digital technologies, the potential for cyber incidents grows, necessitating robust security measures and incident response strategies.
"It is unfortunate that it has come to a situation that shareholders will bear the impact of a lack of investment in cyber defense or breach readiness by the leadership," said Agnidipta Sarkar, Vice President, CISO Advisory, at ColorTokens. "It is no secret that setting up a tech stack of cybersecurity products does not help combat cyberattacks. You have to stop lateral movement. That is the last line of defense, and this is best done by microsegmentation. Microsegmentation is not new. It has all the bells and whistles to ensure Maximum Digital Operations, even when cyberattacks make initial access, by isolating digital business and disrupting cyberattacks."
UnitedHealth Group's revised cost estimates for the Change Healthcare attack highlight the profound and multifaceted impact of cyber incidents.
"The Change Healthcare cyberattack is a stark reminder of the catastrophic impact a single breach can have on the entire healthcare ecosystem. This incident goes beyond just one company; it's affecting patient care, disrupting critical healthcare operations, and causing financial strain across the industry," said Guy Rosenthal, Vice President, Product, at DoControl. "What's particularly alarming is how the attackers gained access—through stolen credentials and a remote access tool lacking multi-factor authentication. This underscores a critical point we've been emphasizing at DoControl: robust access controls and continuous monitoring of user activities are absolutely essential in today's threat landscape."
"The $22 million ransom payment, while a fraction of the estimated $1.35 to $1.6 billion total impact for 2024, highlights the immense pressure companies face when critical systems are compromised," Rosenthal said. "It's a difficult decision that balances immediate operational needs against the broader implications of incentivizing future attacks. This breach also exposes the vulnerability of our interconnected healthcare system. When a company processing 50% of all medical claims in the U.S. goes down, the ripple effects are enormous. It's not just about protecting your own systems anymore; you need to consider your entire supply chain and partner ecosystem."
[RELATED: What's the Prescription for Cyber Resilience in Healthcare?]
