UnitedHealth, the US health insurance giant and parent company of Change HealthCare, paid two ransoms to different cybercriminal groups, BlackCat/ALPHV and RansomHub.

On April 22, 2024, the US health conglomerate UnitedHealth reviewed the ransomware attack that hit its subsidiary, Change HealthCare, at the end of February 2024. The latter handles insurance and billing for hospitals, doctors’ offices and, more importantly, hundreds of thousands of drugstores in the United States. UnitedHealth manages the health coverage of around half of Americans.

The company acknowledges the cyberattack led to large-scale data theft. “Based on initial sampling of targeted data to date, the company found files containing protected health data and personal information pertaining to a substantial percentage of people in the United States,” thus reads the company’s press release. 

UnitedHealth also admitted to paying a 22-million-dollar (20.6-million-euro) ransom to BlackCat/ALPHV, the Russian-speaking ransomware gang behind the attack. The cybercriminal organization ceased operations after pulling off this last stunt. 

However, in mid-April 2024, another ransomware gang, RansomHub, uploaded data samples from the Change HealthCare hack to the dark web. It claimed to be in possession of 4 TB of sensitive data, which it was threatening to sell if a new ransom was not paid. Tyler Mason, spokesperson for UnitedHealth, told TechCrunch that the company had paid the second ransom, of an undisclosed amount. 

UnitedHealth estimates the damage from the attack at 872 million dollars (815 million euros). The group has set aside another 800 million dollars (747 million euros) to deal with further potential fallout from the incident. UnitedHealth posted 99.8 billion dollars (93.2 billion euros) in sales in the first quarter of 2024, for a net profit of 7.9 billion dollars (7.38 billion euros).

The company’s decision to pay two ransoms was widely criticized, as it could signal to cybercriminal groups that the US health sector is ripe for the taking. 

Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.