2024-02-22 UNITEDHEALTH GROUP INC Cybersecurity Incident

Page last updated on September 29, 2025

UNITEDHEALTH GROUP INC initially disclosed a cybersecurity incident in an SEC 8-K filing on 2024-02-22 16:08:47 EST.

Incident Details

Material: No
Is Breach: Yes
Records Compromised: Unknown
Data Types Impacted: Unspecified, Health data

Compromised Date: 2024-02-12
Detected Date: 2024-02-21
Disclosure Date: 2024-02-22
Contained Date: Unknown
Recovered Date: Unknown

Attack Goal: Theft
Attack Tactics¹: TA0001, TA0010
Attack Techniques¹: T1657, T1486, T1133, T1078, OTHER

Costs: $1B - $1.15B

• Non-itemized costs (Indirect): $1B - $1.15B

Filings

8-K filed on 2024-02-22

UNITEDHEALTH GROUP INC filed an 8-K at 2024-02-22 16:08:47 EST
Accession Number: 0000731766-24-000045

Item 1.05 Material Cybersecurity Incidents.

On February 21, 2024, UnitedHealth Group (the "Company") identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.

The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies. At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational.

During the disruption, certain networks and transactional services may not be accessible. The Company is providing updates on the incident at https://status.changehealthcare.com/incidents/hqpjz25fn3n7. Please access that site for further information.

As of the date of this report, the Company has not determined the incident is reasonably likely to materially impact the Company's financial condition or results of operations.

8-K/A filed on 2024-03-08

UNITEDHEALTH GROUP INC filed a 8-K/A at 2024-03-08 17:13:56 EST
Accession Number: 0000731766-24-000085

Explanatory Note.

This Amendment No. 1 (the "Amendment") amends the Current Report on Form 8-K filed by UnitedHealth Group Incorporated (the "Company") with the Securities and Exchange Commission on February 22, 2024 (the "Original Report").

Item 1.05 Material Cybersecurity Incidents.

As an update to the Original Report, the Company identified that cybercrime threat actors had gained access to certain Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company isolated the impacted systems from other connected systems in order to protect the Company's partners and customers. The Company promptly notified customers, law enforcement and government agencies.

The Company is making substantial progress in mitigating the impact to consumers and care providers of the unprecedented cyberattack on the U.S. health system and certain Change Healthcare services. The Company's focus has been on ensuring patient access to care and medications by addressing challenges to pharmacy, medical claims and payment services targeted by the attack. The Company is working tirelessly to restore affected services and resume normal operations and along with law enforcement is investigating the extent of impacted data. The Company continues to believe the issue is specific to Change Healthcare. All other systems across the Company are operational.

The progress the Company is making, including interim measures and an expected timeline for restoration of key Change Healthcare systems, is described in a press release which the Company issued on March 7, 2024, a copy of which is attached to the Amendment as Exhibit 99.1.

As of the date of this Amendment, the Company has not determined the incident is reasonably likely to materially impact the Company's financial condition or results of operations.

Exhibit No. 99.1

Press Release dated March 7, 2024

UnitedHealth Group Update on Change Healthcare Cyberattack

Timeline provided to restore key Change Healthcare systems

Additional funding support for providers most impacted

Actions to support patients

March 7, 2024 -- UnitedHealth Group continues to make substantial progress in mitigating the impact to consumers and care providers of the unprecedented cyberattack on the U.S. health system and the Change Healthcare claims and payment infrastructure. Our focus has been on ensuring access to care and medications by addressing challenges to pharmacy, medical claims and payment systems targeted by the attack.

"We are committed to providing relief for people affected by this malicious attack on the U.S. health system," said Andrew Witty, CEO of UnitedHealth Group. "All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We're determined to make this right as fast as possible."

Based on our ongoing investigation, there is no indication that any other UnitedHealth Group systems have been affected by this attack.

To address the needs of our customers, the company is announcing the following immediate actions:

Timeline to Restore Change Healthcare Systems We are working aggressively on the restoration of our systems and services. Assuming we continue at our current rate of progress, we expect our key system functionality to be restored and available on the following timelines:

• Pharmacy services: Electronic prescribing is now fully functional with claim submission and payment transmission also available as of today. We have taken action to make sure patients can access their medicines in the meantime, including Optum Rx pharmacies sending members their medications based on the date needed.

• Payments platform: Electronic payment functionality will be available for connection beginning March 15.

• Medical claims: We expect to begin testing and reestablish connectivity to our claims network and software on March 18, restoring service through that week.

While we work to restore these systems, we strongly recommend our provider and payer clients use the applicable workarounds we have established-in particular, using our new iEDI claim submission system in the interest of system redundancy given the current environment.

Continued Funding Support for Community-Based Providers On March 1, Optum launched a Temporary Funding Assistance Program to help bridge the gap in short-term cash flow needs for providers who received payments from payers that were processed by Change Healthcare.

UnitedHealthcare will provide further funding solutions for its provider partners. This applies to medical, dental and vision providers and will involve advancing funds each week representing the difference between their historical payment levels and the payment levels post attack. Advances will not need to be repaid until claims flows have fully resumed. Providers must complete a one-time registration to access funding.

We urge all payers to do the same as this is the fastest, most efficient way to address provider short-term cash flow needs. UnitedHealthcare does not have visibility to the extent of business interruption for each provider; therefore, it is necessary for other payers to participate in a similar manner.

We recognize these programs will not work for everyone. Beyond UnitedHealthcare's provider funding relief, Optum is expanding its funding program to include providers who have exhausted all available connection options, and who work with a payer who has opted not to advance funds to providers during the period when Change Healthcare systems remain down.

This expansion is a funding mechanism of last resort, especially for small and regional providers, and will be evaluated on a case-by-case basis. An Optum Pay account is required to complete registration and to receive funds and repay funds. Use your existing Optum Pay account or sign up for Optum Pay to login.

For those who receive funding support, there are no fees, interest or other associated costs with the assistance. For repayment, providers will receive an invoice once standard payment operations resume and will have 30 days to return the funds. These terms now apply to both the original and expanded funding programs.

To determine eligibility and funding amount, please register for the program at the website: www.optum.com/temporaryfunding.

Additional Consumer Actions For Medicare Advantage plans, including Dual Special Needs Plans, we are temporarily suspending prior authorizations for most outpatient services except for Durable Medical Equipment, cosmetic procedures and Part B step therapies. We also are temporarily suspending utilization review for MA inpatient admissions.

For Medicare Part D pharmacy benefits, we are temporarily suspending drug formulary exception review processes.

These actions will remain in place until March 31. We will work with state Medicaid agencies on any actions they wish to implement.

Prescription Support As of today, all major pharmacy claims and payment systems are back up and functioning. We have taken action to make sure patients can access their medicines in the meantime, including Optum Rx pharmacies sending members their medications based on the date needed.

Additionally, recognizing that we were asking pharmacies to take action to help patients, Optum Rx PBM notified network pharmacy partners and pharmacy associations that we would reimburse all appropriate pharmacy claims filled with the good faith understanding that amedication would be covered. We continue to focus on those remaining areas of pharmacy disruption, including specialty coupon programs and certain claims for infusion providers.

For more information and access to all solutions provided by UnitedHealth Group, visit http://www.uhg.com/changehealthcarecyberresponse.

The company expects to exclude the principal impacts arising as a result of the cyberattack from adjusted earnings.

8-K/A filed on 2024-04-24

UNITEDHEALTH GROUP INC filed a 8-K/A at 2024-04-24 16:02:43 EDT
Accession Number: 0000731766-24-000150

Explanatory Note.

This Amendment No. 2 (the "Amendment") amends the Current Report on Form 8-K filed by UnitedHealth Group Incorporated (the "Company") with the Securities and Exchange Commission on February 22, 2024 (the "Original Report"), as amended by the Current Report on Form 8-K/A filed on March 8, 2024 ("Amendment No. 1" and together with the Original Report are collectively referred to as the "Filed Reports"). Except as set forth in this Amendment, the information included in the Filed Reports remains unchanged.

Item 1.05 Material Cybersecurity Incidents.

As an update to information concerning the Change Healthcare cyberattack contained in the Filed Reports, the Company issued a press release on April 22, 2024, regarding its ongoing data assessment and support for impacted individuals, support for providers and customers with notifications, and Change Healthcare service restoration progress. A copy of the press release is attached to the Amendment as Exhibit 99.1 and incorporated by reference herein.

Exhibit No. 99.1

Press Release dated April 22, 2024

UnitedHealth Group Updates on Change Healthcare Cyberattack

Provides Update on Ongoing Review of Impacted Patient Data

Offers Support for People Potentially Impacted

Makes Strong Progress in Restoring Change Healthcare Services

(April 22, 2024) - UnitedHealth Group (NYSE: UNH) is announcing support for people who may be concerned about their personal data potentially being impacted based on preliminary findings from the ongoing investigation and review of the data involved in the malicious criminal cyberattack on Change Healthcare. The company is also providing an update on progress in restoring Change Healthcare's products and services.

Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors' charts or full medical histories among the data.

"We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it," said Andrew Witty, chief executive officer of UnitedHealth Group.

Data Assessment and Support for Impacted Individuals

Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals. As the company continues to work with leading industry experts to analyze data involved in this cyberattack, it is immediately providing support and robust protections, rather than waiting until the conclusion of the data review.

People can visit a dedicated website at http://changecybersupport.com to get more information and details on these resources. A dedicated call center has been established to offer free credit monitoring and identity theft protections for two years to anyone impacted. The call center will also include trained clinicians to provide support services. Given the ongoing nature and complexity of the data review, the call center will not be able to provide any specifics on individual data impact at this time.

The call center can be reached at 1-866-262-5342 and further details can be found on the website.

The company, along with leading external industry experts, continues to monitor the internet and dark web to determine if data has been published. There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time.

While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company can confirm the information involved. This is not an official breach notification. The company will reach out to stakeholders when there is sufficient information for notifications and will be transparent with the process.

To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.

Change Healthcare Service Restoration Change Healthcare has made continued strong progress restoring services impacted by the event. We have prioritized the restoration of services that impact patient access to care or medication.

• Pharmacy services are now back to near normal levels with 99% of pre-incident pharmacies able to process claims.
• Medical claims across the U.S. health system are now flowing at near normal levels as systems come back online or providers switch to other methods of submission. Change Healthcare realizes there are a small number of providers who continue to be adversely impacted and is working with them to find alternative submission solutions and will continue to provide financial support as needed.
• Payment processing by Change Healthcare, which represents approximately 6% of all payments in the U.S health care system, is at approximately 86% of pre-incident levels and is increasing as additional functionality is restored.
• Other Change Healthcare services, including eligibility software and analytical tools, are being restored on a rolling basis with the active reconnection of our customers now the priority. To date, approximately 80% of Change functionality has been restored on the major platforms and products, and the company expects full restoration of other systems to be completed in the coming weeks.
• For the latest information on service restoration and customer support, please visit www.uhg.com/changehealthcarecyberresponse.
  

Analyst Notes

• 2024-03-14 - Option Health Care Inc 8-K: Option Health Care Inc filed an 8-K "ITEM 7.01. Regulation FD Disclosure." disclosing that the Change Healthcare cybersecurity incident has resulted in "more than one-half of the Company’s claims for services rendered since the third party incident remain unable to be processed" with near-term disruption in (i) cash flow and working capital; (ii) inefficiencies in patient registration and support functions; (iii) inefficiencies in the billing and collections functions; (iv) higher net interest expense due to lower-than-expected interest-bearing cash balances.
• 2024-02-27 - Encompass Health Corporation 8-K: Encompass Health Corporation filed an 8-K "ITEM 7.01. Regulation FD Disclosure." disclosing that the Change Healthcare cybersecurity incident has affected its submission of payment claims and that it "may experience payment collection delays as it turns to alternative channels to submit claims" depending on how long Change Healthcare service is down.

Related Articles

• 2024-02-28 - Ransomware gang claims they stole 6TB of Change Healthcare data: In a statement published on their dark web leak site today, BlackCat said that they allegedly stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc."
• 2024-02-23 - Moody's says hack against UnitedHealth is credit negative for company: The agency cited potential "financial and reputational impacts" of the cybersecurity attack at UnitedHealth's technology unit Change Healthcare on Wednesday that caused disruption to pharmacies across the United States. Originally discovered from Andy Watkin-Child

Company Information