UnitedHealth Group Inc. headquarters stands in Minnetonka, Minnesota, U.S.
Mike Bradley | Bloomberg | Getty Images
UnitedHealth Group said Monday that it’s paid out more than $2 billion to help health-care providers who have been affected by the cyberattack on subsidiary Change Healthcare.
“We continue to make significant progress in restoring the services impacted by this cyberattack,” UnitedHealth CEO Andrew Witty said in a press release. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”
UnitedHealth disclosed nearly a month ago that a cyber threat actor breached part Change Healthcare’s information technology network. The fallout has wreaked havoc across the U.S. health-care system. Change Healthcare offers e-prescription software and tools for payment management, so the interruptions left many providers temporarily unable to fill medications or get reimbursed for their services by insurers.
UnitedHealth said on Monday that it began releasing medical claims preparation software, which will be available to thousands of customers in the next several days. The company called it “an important step in the resumption of services.”
On Friday, UnitedHealth said it restored Change Healthcare’s electronic payments platform, after rebooting 99% of its pharmacy network services earlier this month. It also introduced a temporary funding assistance program to help health-care providers experiencing cash flow trouble because of the attack.
UnitedHealth said the advances will not need to be repaid until claims flows return to normal. Federal agencies like the Centers for Medicare & Medicaid Services have introduced additional options to ensure that states and other stakeholders can make interim payments to providers, according to a release.
The Biden administration announced Wednesday that it has launched an investigation into the company due to the “unprecedented magnitude of the cyberattack.”
The U.S. Department of Health and Human Services’ Office for Civil Rights is carrying out the inquiry. The OCR enforces the Health Insurance Portability and Accountability Act’s security, privacy and breach notification rules, which most health plans, providers and clearinghouses are required to follow to protect health information.
UnitedHealth hasn’t disclosed what kind of data was compromised in the attack, or whether it cooperated with the cyber threat actor in order to restore systems. The company said it’s been working closely with law enforcement and third parties like Palo Alto Networks and Google Cloud’s Mandiant to assess the breach.