FAIR MAM Analysis: UnitedHealth Hack Disclosures May Significantly Under-report Total Impact

Using FAIR-MAM, the FAIR Materiality Assessment Model, the FAIR Institute ran a reality check on the costs reported by UnitedHealth Group for the massive ransomware attack on its Change Healthcare payments processing subsidiary on February 21, 2024.

Our finding: The reported costs could be short by a factor of two from the probable total costs of the incident.

FAIR-MAM, part of the family of models related to Factor Analysis of Information Risk (FAIR) and developed with our technical advisor Safe Security, gives FAIR practitioners a deeper, wider look at the cost data for cyber incidents, thus greatly increasing the accuracy of FAIR analysis. FAIR-MAM, for instance, offers analysts more than 200 micro cost drivers within 10 discrete loss modules to fine tune the quantification of loss data.

We created FAIR-MAM to enable organizations to enter their own data for use in real time to determine the materiality of cyber events (as required by the SEC and, increasingly, other regulators) … and proactively to estimate the probability that future incidents could cross a company’s pre-determined materiality threshold.

We also use FAIR-MAM to assess materiality of data breaches and other cyber loss events in the news, with inputs from news reports, social media, government and regulatory agencies, and disclosures from affected companies. We are posting those findings at the website How Material Is that Hack.

Disclosed and Reported Losses at UnitedHealth

For Q1:24, UnitedHealth has disclosed costs of $872 million including:  

–Direct Response Costs of $593:
    * $230 million for UnitedHealthcare and $138 million for subsidiary Optum Health for “medical expenses directly relating to the temporary suspension of some care management activities.”
    * $225 million for Optum Insight (where Change Healthcare is located) clearinghouse platform restoration and other response efforts.

–Revenue Loss of $279 million:
    *  More than 100 services were taken offline by UnitedHealth Group after the ransomware attack was discovered on February 21st. 

On April 22nd the company reported that Change Healthcare’s payment processing services had been restored to approximately 86% of pre-incident levels.

–Ransom payment:

During the US Senate hearing on April 30, 2024, UnitedHealth Group’s CEO finally confirmed that the ransom paid by the company was $22 million, as had been widely surmised after the ALPHV BlackCat ransomware group received a $22 million bitcoin transaction on March 1st.  We assumed the $22 million ransom is part of the Direct Response Cost reported for Optum Insight for Q1:24.

For all of 2024, UnitedHealth has estimated that direct costs from the attack will amount to $1.45 to $1.6 billion for the year, including: 
    * Another $407 to $557 million of Direct Response Costs are expected to be recorded this year.
    * Another $71 to $171 million of Revenue Loss is expected to be recorded this year.

A Closer Look at the UnitedHealth Attack with FAIR-MAM

FAIR-MAM analysis finds:

--$2 billion-plus most likely with $3 billion-plus upper bound costs over time. (NOTE - we applied UnitedHealth Group’s lower bound estimated costs for FY:24 to the Most Likely output for FAIR-MAM and its upper bound estimated costs to FAIR-MAM’s upper bound output.)

Here are the results from How Material Is That Hack.  Go to the analysis page. 

Why the delta from UnitedHealth’s disclosure? 

The following loss categories are covered by FAIR-MAM but were not yet included in UnitedHealth’s numbers:

--Total PII/PHI breach customer support costs:
    * The UnitedHealth Group has said that it will handle all required notifications pertaining to the breach of PHI records once their investigation is complete. The company has said it is offering free credit monitoring to affected customers for two years. It has also opened a call center with specially trained staff;

--Class action settlements for privacy violations – our analysis indicates that between 152 and 210 million record holders could have had sensitive personal data compromised;. 

--Individual lawsuits claiming death or injury;

--Business interruption liability (UnitedHealth has already advanced $6.5 billion to healthcare providers as accelerated payments or no-interest loans);

--Possible forced divestiture of Change Healthcare (the US Dept. of Justice has reportedly relaunched an antitrust investigation);

--Reputation damage leading to loss of customers or lower stock value

--Regulatory fines by HHS, FTC, SEC, NYDFS, or US state attorneys general.

Takeaways from the UnitedHealth Hack

While the company is rightfully under fire for the beginner’s error of failing to deploy multi-factor authentication at Change Healthcare, there’s a wider lesson to be learned: Take a risk-based approach to cybersecurity with tools like FAIR-MAM.

“Like GAAP, a standard and comprehensive methodology should be adopted to measure risk exposure in a defensible manner,” Saket Modi, CEO at our technical adviser Safe Security, commented to Forbes. “It may be UnitedHealth’s harsh reality and cost tally that ends ‘check the box’ cyber compliance mindsets.”

Learn more in this FAIR-MAM white paper.

Watch a video: Introducing FAIR-MAM™- A Comprehensive Approach to Loss Modeling in FAIR

Join the FAIR Institute - Be a part of a global community sharing knowledge on advanced techniques in cyber risk management.


Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37