The Russian cybercriminals who targeted a UnitedHealth Group-owned company in February did not leave empty-handed.
"A ransom was paid as part of the company's commitment to do everything possible to protect patient data from disclosure," a spokesperson for UnitedHealth Group stated earlier this week.
The spokesperson did not reveal how much the healthcare giant paid following the cyberattack, which halted operations at hospitals and pharmacies for more than a week. Multiple media outlets claimed that UnitedHealth paid $22 million in bitcoin.
"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," UnitedHealth CEO Andrew Witty said in a statement Monday.
UnitedHealth attributed the intrusion on the Russian ransomware gang ALPHV, also known as BlackCat. The group claimed responsibility for the attack, stating that it took more than six terabytes of data, including "sensitive" medical records, from Change Healthcare, which handles health insurance claims for patients who visit hospitals, medical centres, or pharmacies.
The attack's scale—Change Healthcare performs 15 billion transactions every year, according to the American Hospital Association—meant that even people who were not UnitedHealth clients could have been affected. The attack has already cost UnitedHealth Group almost $900 million, company officials said in reporting first-quarter earnings last week.
Ransomware attacks, which include disabling a target's computer systems, are becoming more widespread in the healthcare industry. In 2022, a study published in JAMA Health Forum found that the yearly frequency of ransomware attacks against hospitals and other providers increased.
It was "straight out an attack on the U.S. health system and designed to create maximum damage," Witty informed analysts last week during an earnings call about the Change Healthcare incident. According to UnitedHealth's earnings report, the cyberattack is ultimately estimated to cost the organisation between $1.3 billion and $1.6 billion this year.