Losses from Change Healthcare Ransomware Attack Approach $3B

UnitedHealth Group (UHG) has revised its estimate of the costs related to the cyberattack on its Change Healthcare IT services, raising the figure to nearly $2.9 billion for fiscal year 2024.  

‍

Initially, the company projected $2.5 billion in damages by July, but the updated figure accounts for additional recovery and operational expenses. As of the third quarter of 2024, UHG has already incurred $2.5 billion in costs from the attack.

‍

Despite the financial hit, UHG reported progress in restoring Change Healthcare’s IT systems and emphasized efforts to regain disrupted customers.  

‍

"We're not only trying to bring volume back into our current customers. We're also working to bring new clients in," said Roger Connor, CEO of UHG's Optum Insight division, told Healthcare InfoSecurity.  

‍

He noted that the improved security systems are resonating with clients, although the return to pre-attack transaction volumes is still a work in progress. "Customers are really looking for vendor redundancy," Connor added, reflecting a growing trend toward risk mitigation.

‍

The cyberattack, which occurred in February, affected thousands of healthcare entities across the U.S., disrupting both business and clinical operations. The attackers exploited a vulnerability in Citrix remote access services that lacked multifactor authentication, leading to a ransomware attack by the BlackCat group.  

‍

UHG admitted to paying a $22 million ransom, but complications arose when BlackCat dissolved, and a second ransom demand emerged from a new group. UHG has been working to rebuild its customer base while also optimizing its IT infrastructure, integrating artificial intelligence into its new systems.  

‍

"That's where we can help and provide their solutions… we're building off that new modernized tech environment," Connor stated, expressing optimism about the company's future.

‍

As for the scope of the data breach, UHG continues to investigate, but the true number of affected individuals remains uncertain. Although the company initially reported a low figure of 500, UHG CEO Andrew Witty testified that up to 100 million individuals could have been impacted.

‍

Takeaway: The financial toll of ransomware recovery is often staggering, as demonstrated by the Change Healthcare attack. Beyond the direct costs, estimating the true damage is even more difficult.  

‍

Long-term impacts, such as brand reputation damage or future losses from lawsuits and regulatory fines, often go unaccounted for in initial estimates. These additional costs can include everything from incident response and remediation efforts to lost revenue and downtime caused by crippled systems.

‍

Ransomware attacks don't just lock down a company’s data—they also steal it. Once attackers gain access, they frequently export sensitive information and threaten to release it unless demands are met.  

‍

This type of exposure can have severe regulatory consequences for organizations, leading to lawsuits and heavy fines. Moreover, highly valuable data, such as information on corporate transactions or patents, can end up in the hands of cybercriminals, who sell it on dark web forums to the highest bidder.

‍

The average cost of responding to a ransomware attack is now well over $5 million. For larger corporations, such costs are manageable, but for smaller organizations, these figures can represent an existential threat, potentially forcing them out of business entirely.

‍

What makes the situation worse is that the actual financial damage from ransomware attacks often goes far beyond the immediate response and recovery. Paying the ransom is just one piece of the puzzle.  

‍

Long-term damage to a company’s reputation, eroded consumer trust, rising cyber insurance premiums, mounting legal fees, and lost revenue from prolonged downtime can dwarf the initial remediation expenses. This underscores the importance of focusing not only on response but on prevention and resilience.

‍

Ransomware, unfortunately, is big business, and the costs of these attacks don’t just affect the targeted companies. The financial burden is passed down to consumers, businesses, and even government entities, creating a drag on the wider economy.  

‍

Organizations that want to avoid becoming victims of cyber extortion need to ensure they aren’t seen as easy targets. Attackers are increasingly exploiting unpatched vulnerabilities and system misconfigurations, automating aspects of their attacks to hit more victims at a faster rate.  

‍

Recent examples, such as the exploitation of vulnerabilities in MoveIT, GoAnywhere, and Citrix Bleed, show how preventable many ransomware incidents could be. While preventing attacks outright may not always be possible, companies can take steps to make these attacks unsuccessful.  

‍

It’s critical for business leaders to grasp the full scope of disruption that ransomware can cause and to take proactive measures to mitigate the risks before their organizations fall victim. The only way to curb the growth of ransomware as an industry is to make it unprofitable for attackers—something we are still far from achieving.

‍

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.