UnitedHealth Group The company said Wednesday that it has paid an additional $1 billion to providers affected by the Change Healthcare cyberattack since last week, bringing the total amount of funds provided to more than $3.3 billion.
UnitedHealth, which owns Change Healthcare, discovered in February that a cyber threat actor had compromised part of the unit's IT network. Change Healthcare processes more than 15 billion billing transactions annually, and 1 in 3 patient records pass through its systems, according to its website.
The company disconnected the affected systems “immediately upon discovery” of the threat, according to its filing with the Securities and Exchange Commission. These outages left many health care providers temporarily unable to fill prescriptions or get reimbursed for their services by insurance companies.
Many healthcare providers rely on cash flow for reimbursement to operate, so the repercussions have been significant. Small and medium-sized practices told CNBC they are making difficult decisions about how to stay afloat. A survey published by the American Hospital Association earlier this month found that 94% of hospitals experienced financial disruption due to the attack.
As a result, UnitedHealth introduced its Temporary Financial Assistance Program to assist providers who need support. The company said the $3.3 billion advance will not need to be repaid until claims flows return to normal. Federal agencies such as the Centers for Medicare and Medicaid Services have provided additional options to ensure states and other stakeholders can provide temporary payments to providers, according to the release.
UnitedHealth has been working to restore Change Healthcare's systems in recent weeks, and expects some disruption to continue into April, according to its website. The company began processing a backlog of more than $14 billion in claims on Friday, and said on Wednesday: “Claims are starting to trickle in.”
UnitedHealth shares have fallen more than 6% since the attack was disclosed.
Late last month, the company said the Blackcat ransomware group was behind the attack. Blackcat, also known as Noberus and ALPHV, steals sensitive data from organizations and threatens to release it unless a ransom is paid, according to a statement issued by the US Department of Justice in December.
The State Department announced Wednesday that it is offering a reward of up to $10 million for information that could help identify or identify cyber actors associated with Blackcat.
UnitedHealth said Wednesday that it is “still determining the content of the data taken by the threat actor.” The company said the “leading supplier” is analyzing the affected data. United Health is working closely with law enforcement and third parties such as Palo Alto Networks and Google's Mandiant to evaluate the attack.
“We continue to remain vigilant, and to date we have not seen evidence of any data being posted on the web,” UnitedHealth said. “We are committed to providing appropriate support to people whose data has been found to have been compromised.”
Rep. Jamie Raskin, D-Md., the ranking member on the House Oversight and Accountability Committee, wrote a letter to UnitedHealth CEO Andrew Witty on Monday requesting information about the “scope and extent” of the breach.
Raskin asked Witty for information about when Change Healthcare notified its customers about the breach, what specific infrastructure and information was targeted, and what cybersecurity measures the company had in place. The committee requested written responses “no later than” April 8.
“Given your company’s dominant position in the nation’s healthcare and health insurance industry, Change Healthcare’s prolonged outage as a result of the cyberattack already had ‘significant and far-reaching’ consequences,” Raskin wrote.
The Biden administration also began an investigation into UnitedHealth earlier this month due to the “unprecedented scale of the cyberattack,” according to a statement.