UnitedHealth Group has disbursed an additional $1 billion to providers affected by the Change Healthcare cyberattack since last week, totaling over $3.3 billion in advanced funds, the company announced on Wednesday.
UnitedHealth, the owner of Change Healthcare, uncovered in February that a cyber threat actor had infiltrated a portion of the unit’s IT network. Change Healthcare handles over 15 billion billing transactions annually, with 1 in every 3 patient records passing through its systems, as per its website.
Upon detecting the threat, the company promptly disconnected the impacted systems, as stated in a filing with the Securities and Exchange Commission. This led to temporary disruptions for many healthcare providers, preventing them from filling prescriptions or receiving reimbursement from insurers.
The aftermath has had significant implications as many providers heavily rely on reimbursement cash flow to sustain operations. Smaller and mid-sized practices disclosed to CNBC that they were facing tough decisions to stay operational.
A recent survey by the American Hospital Association revealed that 94% of hospitals encountered financial disruptions due to the cyberattack.
UnitedHealth initiated its temporary funding assistance program to aid providers in need, totaling $3.3 billion in advances that won’t require repayment until claims return to normal. Additional options introduced by federal agencies like the Centers for Medicare & Medicaid Services aim to facilitate interim payments to providers, as stated in a release.
In recent weeks, UnitedHealth has been focused on restoring Change Healthcare’s systems, with ongoing disruptions expected into April. Processing of a backlog exceeding $14 billion in claims commenced on Friday, with claims now beginning to flow, as announced on Wednesday.
Shares of UnitedHealth have declined by over 6% since the disclosure of the attack.
Last month, the company attributed the attack to the ransomware group Blackcat, also known as Noberus and ALPHV, which engages in data theft and extortion, according to a December release from the U.S. Department of Justice.
On Wednesday, the Department of State announced a reward of up to $10 million for information leading to the identification or location of cyber actors associated with Blackcat.
UnitedHealth stated on Wednesday that “still determining the content of the data that was taken by the threat actor.” The company a ” leading vendor” is collaborating with law enforcement and third-party entities such as Palo Alto Networks and Google’s Mandiant to evaluate the attack.
“We continue to be vigilant, and to date have not seen evidence of any data having been published on the web,” stated UnitedHealth. “And we are committed to providing appropriate support to people whose data is found to have been compromised.”
Representative Jamie Raskin, D-Md., the ranking member of the House Committee on Oversight and Accountability, penned a letter to UnitedHealth CEO Andrew Witty on Monday, seeking details regarding the “scale and breadth” of the breach.
Raskin inquired with Witty regarding the timeline of Change Healthcare’s notification to its clientele about the breach, the specific systems and data that were targeted, and the cybersecurity protocols in place. The committee requested written replies by April 8.
“Given your company’s dominant position in the nation’s health care and health insurance industry, Change Healthcare’s prolonged outage as a result of the cyberattack has already had ‘significant and far-reaching’ consequences,” wrote Raskin.
Moreover, earlier this month, the Biden administration initiated an inquiry into UnitedHealth due to the “unprecedented magnitude of the cyberattack,” as per a statement.
