UnitedHealth Group says cyberattack impact tops $2B, but profits remain strong

UnitedHealth Group says the Change Healthcare cyberattack’s impact is greater than expected, but the company still reported strong profits in the second quarter.

UnitedHealth Group CEO Andrew Witty says the company is seeing strong growth and profits, even after the Change Healthcare cyberattack.

UnitedHealth, Change Healthcare’s parent company, says it expects the impact of the Change Healthcare cyberattack this year could reach $2.3 billion to $2.45 billion. UnitedHealth released its second quarter earnings Tuesday.

The company said UnitedHealth saw $1.1 billion in “unfavorable cyberattack effects” in the second quarter alone.

The Change Healthcare cyberattack has proven to be costly and disruptive to healthcare providers across the country. Nearly all hospitals, physicians and medical groups said they suffered some financial impacts from the attack, because Change Healthcare handles so many business functions for providers, including billing and pharmacy services.

UnitedHealth said it has provided more than $9 billion dollars in loans and advance payments to providers to deal with the attack. UnitedHealth has said a significant portion of Americans may end up being affected by the breach, but the company has not provided a precise number of those who may be impacted.

The company now estimates the full-year impact of the attack will be $1.90 to $2.05 per share.

Within that projection, direct response costs are estimated at $1.30 to $1.35 per share, an uptick of $0.40 to $0.45 from previous estimates, the company says. UnitedHealth pointed to its financial support to providers and consumer notification costs in driving up response costs. Business disruption impacts are projected to be 60 cents to 70 cents per share.

Even with those substantial costs, UnitedHealth reported $98.9 billion in revenue in the second quarter, an increase of nearly $6 billion year over year. The company reported $4.2 billion in profit in the second quarter.

UnitedHealth Group CEO Andrew Witty said during the earnings call that the company "enters the second half of the year with continuing and broad-based growth momentum."

UnitedHealth’s stock price closed at nearly $549 per share Tuesday, an increase of nearly 6.5%.

While UnitedHealth appears to be weathering the financial impact of the Change Healthcare cyberattacks, lawmakers have sharply criticized the company’s approach to cybersecurity.

At a Senate Finance Committee hearing in May, lawmakers blasted Witty for the company’s failure to protect consumers. Witty told lawmakers at the hearing that the attack involved a Change Healthcare server that did not require multi-factor authentication, which many industry analysts describe as a basic step in cybersecurity. Witty said UnitedHealth is working to bolster security.

Sen. Ron Wyden, D-Oregon, the chairman of the Senate Finance Committee, told Witty, “This hack could have been stopped with cybersecurity 101,” Wyden said. The senator has also called for dramatic changes in the federal government’s cybersecurity strategy, calling it “woefully inadequate.”

UnitedHealth paid a ransom of $22 million due to the attack, Witty testified at the hearing, saying the payment was made on his order. UnitedHealth previously identified the “Blackcat” ransomware group as the attacker.

• Read more: Change Healthcare cyberattack: VA notifies 15 million veterans about breach

UnitedHealth said most of its services have been restored since the attack was reported in late February.

“Payment and claims flows for most care providers are back to normal,” John Rex, UnitedHealth Group’s chief financial officer, said on the call. “But we know, that is not the case for some, so we continue to work with those who are not there yet.”

UnitedHealth pointed to strong growth in Optum Rx, its pharmacy benefit manager, which saw a 13% increase in revenue in the second quarter, and Optum Health. Revenues at Optum Health also rose 13%, the company said.