UnitedHealth Group has paid more than $2 billion to providers following cyberattack

UnitedHealth Group said Monday that it’s paid out more than $2 billion to help health-care providers who have been affected by the cyberattack on subsidiary Change Healthcare.

“We continue to make significant progress in restoring the services impacted by this cyberattack,” UnitedHealth CEO Andrew Witty said in a press release. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”

UnitedHealth disclosed nearly a month ago that a cyber threat actor breached part of Change Healthcare’s information technology network. The fallout has wreaked havoc across the U.S. health-care system. Change Healthcare offers e-prescription software and tools for payment management, so the interruptions left many providers temporarily unable to fill medications or get reimbursed for their services by insurers.

UnitedHealth, which provides care for 152 million people, said on Monday that it began releasing medical claims preparation software, which will be available to thousands of customers in the next several days. The company called it “an important step in the resumption of services.”

On Friday, UnitedHealth said it restored Change Healthcare’s electronic payments platform, after rebooting 99% of its pharmacy network services earlier this month. It also introduced a temporary funding assistance program to help health-care providers experiencing cash flow trouble because of the attack.

UnitedHealth said the advances will not need to be repaid until claims flows return to normal. Federal agencies like the Centers for Medicare & Medicaid Services have introduced additional options to ensure that states and other stakeholders can make interim payments to providers, according to a release.

A survey published by the American Hospital Association on Friday found that 94% of hospitals have experienced financial disruptions from the Change Healthcare attack. More than 60% of the 1,000 hospitals surveyed estimated the revenue hit to be around $1 million per day. Responses were collected between March 9 and March 12.

“We continue to call on Congress and the Administration to take additional actions now to support providers as they deal with significant fallout from this historic attack,” AHA CEO Rick Pollack said in the release.

The Biden administration announced Wednesday that it has launched an investigation into the company due to the “unprecedented magnitude of the cyberattack.”

The U.S. Department of Health and Human Services’ Office for Civil Rights is carrying out the inquiry. The OCR enforces the Health Insurance Portability and Accountability Act’s security, privacy and breach notification rules, which most health plans, providers and clearinghouses are required to follow to protect health information.

UnitedHealth hasn’t disclosed what kind of data was compromised in the attack, or whether it cooperated with the cyber threat actor in order to restore systems. The company said it’s been working closely with law enforcement and third parties like Palo Alto Networks and Google Cloud’s Mandiant to assess the breach.