Tech & Innovation in Healthcare

Plus: Find out if UnitedHealth Group has spoken to Congress.

News of Change Healthcare’s February ransomware attack isn’t slowing down, and the impact of the attack appears to be getting more severe for the healthcare payer. A new ransomware group claims to be in possession of stolen data and has started leaking the information, while lawmakers on Capitol Hill are demanding answers from UnitedHealth Group — with no response.

Tech and Innovation in Healthcare has compiled the latest news on this developing story.

For Sale: Medical Data

The cyberattack is worsening for Change Healthcare. According to WIRED¸ another ransomware group, known as RansomHub, is claiming it has possession of the stolen healthcare and financial data and the group has started selling the information.

Allegedly, the stolen data includes the following, according to screenshots:

• Social Security numbers
• Email addresses
• Medical records
• Dental records
• Insurance information
• Payment claims

Russian-based ALPHV Blackcat claimed credit for the original attack on Change Healthcare on February 21. The ransomware group operates as a ransomware-as-a-service (RaaS), where ALPHV develops the ransomware software and provides it to affiliate threat actors who perform the hacking.

This is where the story takes a turn. According to TechCrunch, an ALPHV affiliate hacked Change Healthcare, but ALPHV Blackcat took the ransom payment and disappeared without paying the affiliate their cut.

RansomHub, another hacking and extortion group, claims to have the stolen data and that ALPHV no longer has the data.

Face the First Quarter Earnings Report

On April 16, UnitedHealth Group announced its 2024 first quarter earnings release. Despite the February 21 ransomware attack, the company revealed “Revenues of $99.8 billion grew nearly $8 billion year over year,” in the earnings release.

Simultaneously, UnitedHealth declared “$872 million in unfavorable cyberattack effects” and a $1.41 billion loss overall, which still beat analysts’ estimates for the insurer’s revenues, according to the earnings report.

UnitedHealth estimates the attack’s cost could eventually reach more than $1.6 billion.

“The company continues to make significant progress in restoring the affected Change Healthcare services while providing financial support to impacted health care providers,” it adds in the release. “To date, the company has provided over $6 billion in advance funding and interest-free loans to support care providers in need.”

Gauge the Attack’s Impact

On April 10, 2024, the AMA released its findings from an informal survey of more than 1,400 individuals of the Federation of Medicine “on the impact of the Change Healthcare cyberattack on physician practices.”

According to the survey, more than one-third of respondents have experienced a pause in payments for medical claims, and 32 percent haven’t been able to even submit claims. As a result, 80 percent of respondents attest to missing revenue from the unpaid claims.

Other significant findings from the survey include:

• 55 percent of respondents used personal funds to cover practice expenses
• 31 percent of respondents have been unable to make payroll

The AMA shared comments from respondents in the findings, such as “This cyberattack is leading me to bankruptcy and I am just about out of cash.”

Answer Lawmakers’ Questions

Even though UnitedHealth Group had a financially successful first quarter, U.S. lawmakers aren’t impressed by the company’s lack of transparency when it comes to the cyberattack. UnitedHealth Group didn’t send a representative to an April 16 House Energy and Commerce Committee hearing on the attack.

At the hearing, lawmakers laid into UnitedHealth for poor cybersecurity preparedness and focused on how anticompetitive practices may have contributed to the disaster. They also issued warnings about future incidents.

“As our health care system becomes more consolidated, the impacts of cyberattacks — if successful — may be more widespread,” stressed Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) in the hearing.

Lawmakers may yet get answers to their questions about the attack, however.

U.S. Sens. Josh Hawley (R-Mo.) and Richard Blumenthal (D-Conn.) wrote an April 3 letter to UnitedHealth Group CEO Andrew Witty “demanding information regarding the disastrous disruption” and insisting “that UHG proactively advance payments for all claims — not just UHG claims — to providers so they can keep their doors open as you resolve this inexcusably lengthy shutdown of your systems.” The senators requested responses by April 15.