2024-04-16
Change Healthcare Breach Costs
Change Healthcare parent company UnitedHealth has estimated the costs associated with the ransomware attack to be $872 million. In addition, UnitedHealth provided $6 billion in advance funding and no-interest loans to providers whose operations were disrupted by the breach. Meanwhile, the US House of Representatives Energy and Commerce Committee's Health Subcommittee held a hearing to discuss the circumstances that contributed to the Change healthcare cyberattack and to examine the attacks effect on the healthcare sector.
Editor's Note
Not to excuse Change Healthcare's failure to maintain essential security hygiene levels but the UnitedHealth quarterly report points out that the $872 million charge for bad security decisions is dwarfed by the $7B charge against earnings due to losses on sale of their Brazilian operations and currency losses. The key to getting buy-in for change is not just pointing out incident costs, it is showing how low the cost of avoiding incidents can be.
John Pescatore
Two concerns for Change Healthcare: 1) the estimate is likely low given the probability of pending lawsuits; and 2) potential regulatory action given vendor consolidation that results in single points of failure in this critical infrastructure sector. Both concerns should be addressed by the board.
Curtis Dukes
After tireless work for a decade on grappling with cybersecurity issues in healthcare, it just turns out that if you have billions of dollars in losses in healthcare, people start to pay attention. Who knew that ransomware would force the issue such that your MRI machine running Windows XP is no longer acceptable?
Moses Frost
Read more in
UnitedHealth Group: UnitedHealth Group Reports First Quarter 2024 Results (PDF)
The Register: Change Healthcare's ransomware attack costs edge toward $1B so far
Gov Infosecurity: Congress Asks What Went Wrong in Change Healthcare Attack