PYMNTS MonitorEdge May 2024

Report: Hackers Claim UnitedHealth Group Paid $22 Million in Ransomware Attack


A post on an online forum popular with cybercriminals reportedly claimed that UnitedHealth Group paid $22 million to the Blackcat ransomware group to recover compromised data and systems of its subsidiary, Change Healthcare.

In addition, a cryptocurrency tracking firm’s analysis suggests the occurrence of a significant transaction with the cybercriminals, Reuters reported Tuesday (March 5).

Approximately 350 bitcoins, worth nearly $23 million, were transferred from one digital wallet, whose owner is unknown, to another one that is believed to be associated with Blackcat, according to the report.

UnitedHealth Group did not immediately reply to PYMNTS’ request for comment.

Asked by Reuters about the post’s claim of a ransom payment, UnitedHealth Group answered that it was “focused on the investigation and the recovery,” per the report.

It is not uncommon for companies targeted in ransomware attacks to pay a ransom to restore access to data and systems, especially when companies’ partners and customers have been impacted by the incident, the report said.

In its most recent update on the incident, posted Monday, Change Healthcare said that it experienced a cybersecurity issue perpetrated by a group claiming to be Blackcat, that the company is working with law enforcement and third-party consultants to address the attack, and that it has “multiple workarounds to ensure people have access to the medications and the care they need.”

“We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action,” Change Healthcare said in the update. 

UnitedHealth Group posted its first update reporting connectivity issues at Change Healthcare Feb. 21, and then said in a Feb. 22 filing with the Securities and Exchange Commission (SEC) that a “suspected nation-state associated cybersecurity threat actor” gained access to some of Change Healthcare’s IT systems.

Blackcat posted but later removed a claim that it stole millions of records from the company, according to the Reuters report.

The breach has severely disrupted Change Healthcare’s billing services, leading to nationwide concerns among healthcare providers, the report said. The American Medical Association appealed to the Biden administration Monday (March 4) for urgent support for affected physicians.