UnitedHealth Expects Up To $1.6B Hit From Change Cyberattack This Year

Dive Brief:

• UnitedHealth estimates costs from the Change Healthcare cyberattack could reach $1.6 billion this year, executives said on Tuesday. However, the managed care giant maintained its full-year earnings guidance, suggesting the financial fallout from the attack on the massive claims clearinghouse may be less serious than feared.
• The hit comes from direct response efforts like recovering Change’s clearinghouse platform and paying higher medical costs after its insurance arm suspended some utilization management processes, in addition to the loss of Change’s revenue.
• In the first quarter alone, the cyberattack cost UnitedHealth $872 million, according to financial results posted Tuesday.

Dive Insight:

Change, UnitedHealth’s massive claims processing clearinghouse, was hit with a ransomware attack in February, halting reimbursement to providers across the U.S. after the company shut down its IT systems.

Along with the damage to providers — many of which weren’t paid for their services for weeks, until UnitedHealth stood up a loan program amid intense public, legal and governmental pressure — the healthcare industry is now getting a clearer sense of the financial fallout for UnitedHealth.

Optum, Change’s parent division, reported a hit from the attack of $642 million in the quarter through a combination of reduced revenue and the costs of responding. UnitedHealthcare, UnitedHealth’s insurance division, reported an additional $230 million in costs.

Change has been focusing on system restoration. Currently, its pharmacy claims and payment has up to 80% functionality, said Roger Connor, CEO of Optum Insight, during a Tuesday morning call with investors.

A number of other products will come back online in the next few weeks, and next step is working with payers and providers to reconnect them to the network, according to Connor.

Most of Change’s operations have been resumed, but the company shouldn’t get back to full “expected service levels” until next year, UnitedHealth CFO John Rex said on the call.

The attack also increased medical costs for UnitedHealthcare, given the insurer suspended some care management processes in March following the attack. Those included reviewing whether a patient qualifies for inpatient care and some outpatient prior authorizations, UnitedHealthcare CEO Brian Thompson said.

The loss of those processes — which were resumed in the past few days — drove up UnitedHealthcare’s medical loss ratio, a marker of how much it’s spending on patient care, to 84.3%. In comparison, UnitedHealthcare’s MLR was 82.2% the same time last year.

UnitedHealthcare’s MLR was also inflated by the company pouring more money into reserves for insurance claims, to provide a buffer for future payouts in light of unclear claims visibility stemming from the cyberattack.

The MLR could have been worse, but it’s unclear whether UnitedHealth adequately covered future payments with its increase to the insurance claims reserves, said Jefferies analyst David Windley in a Tuesday note.

Rex said he thought UnitedHealth’s increase was “prudent,” as medical claims the insurer will have to pay but didn’t receive in the quarter were likely higher than usual due to the disruption from Change.

The attack exacerbated a dogged elevation in payers’ medical spend as more Medicare seniors seek out healthcare following the COVID-19 pandemic. The trend started last year and has continued into 2024, which — along with a stricter regulatory regime — has caused the stock in major Medicare Advantage insurers like UnitedHealth to tumble.

However, UnitedHealthcare’s care patterns were consistent with expectations in the quarter, according to management, as outpatient care remained elevated but higher levels of respiratory needs during the winter months subsided.

Overall, UnitedHealth reported revenue of $99.8 billion in the quarter, up 9% year over year, and a net loss of $1.4 billion in the first quarter. That’s compared to a profit of $5.6 billion same time last year. A major charge from the sale of its Brazil operations also contributed to the loss.

UnitedHealth’s stock rose roughly 5% in morning trade Tuesday, reversing some of its losses since the February cyberattack.

Though CEO Andrew Witty said UnitedHealth was “recovering quickly,” repercussions of the attack are unlikely to stop slamming the healthcare juggernaut anytime soon.

TechCrunch reported on Monday that a ransomware gang has leaked patient data stolen during the Change cyberattack, including sensitive medical information. The information, which was published for the first time since the February breach, was released in a bid to extort payment from UnitedHealth. Change has allegedly already paid $22 million to prevent the data’s release to another hacker group.

UnitedHealth acquired Change for $13 billion in 2022 after beating a Department of Justice challenge to the deal in court.

However, regulators have kept the company in their crosshairs: UnitedHealth is currently under investigation by the DOJ for potential anticompetitive effects, including the relationship between UnitedHealthcare and Optum.