UnitedHealth Group Attack: Plodding Recovery From Ransomware Emphasizes Importance of Backup & Recovery Excellence

James Hsu | April 15, 2024

Those observing the aftermath of the massive UnitedHealth Group (UHG) ransomware attack are seeing firsthand the scale of economic loss and business disruption that ransomware can wreak – even for enterprises with deep pockets and hundreds of employees dedicated to mitigating such risks.

In today’s analysis, we’ll look at this incident and UnitedHealth Group’s ongoing recovery process and discuss the role backup operations and backup monitoring/reporting can play in ensuring cyber resilience against ransomware attacks.

First, a few highlights from this incident:

  • Change Healthcare, a subsidiary of UHG acquired by another UHG subsidiary called OptumInsight, is the largest clearinghouse for insurance billing and payments in the U.S., responsible for “processing around 15 billion transactions a year and touching one in three medical records, according to the Department of Health and Human Services.” (source)
  • UHG first discovered the attack against Change Healthcare systems on February 21, 2024. Among other service outages, the attack crippled Change Healthcare’s ability to process claims and issue payments to healthcare providers.
  • The company is believed to have paid a $22 million USD ransom to prevent the leak of stolen data, however it is unclear whether the ransom was paid to the correct ransomware group (in possession of the stolen data).
  • The company has paid at least $4.7 billion USD (and counting) in interest-free payment advances to healthcare customers who have been affected financially by the attack. Many healthcare providers have indicated they’ve still had to take out personal loans to maintain operations.
  • 94% of 1,000 US hospitals surveyed by the American Hospital Association (AHA) are reporting financial impact, with more than half reporting “significant or serious” impact. (source)
  • 74% of hospitals in the above AHA survey report “direct patient care impact”, with nearly 40% reporting that patients are having difficulty accessing care because of processing delays.
  • As of this writing (4/15/2024), UHG/Optum is still working to restore systems.


As of 4/15/2024 (54 days after the attack was discovered), many services are still unavailable. (https://solution-status.optum.com/)

This Is a Continuing Trend (Rather Than an Exception)

That Change Healthcare was compromised by this attack is neither unusual nor necessarily indicative of poor cybersecurity operations at UHG.

In Sophos’ 2023 State of Ransomware report, 66% of responding organizations said they had been hit by ransomware attacks in the previous year, and 76% of attacks resulted in data being encrypted.

This Sophos data begs the question: “Why are these attack and encryption rates so high, even though organizations are spending more than ever on cybersecurity? ($219B worldwide in 2023, +12.1% compared to 2022)”

Ransomware often infiltrates organizations through human error (e.g., falling for social engineering-based phishing), as opposed to poor cybersecurity policies. According to Verizon’s Data Breach Incidence Report in 2023, 74% of all data breaches “involved the human element,” or things such as privilege misuse, stolen credentials, and social engineering. In the Sophos report, 61% of ransomware attacks were attributed to human error-related vectors (compromised credentials, malicious emails, phishing, and downloads), and only 37% were attributed to exploited vulnerabilities, with the remaining 3% attributed to brute force attacks.

When attackers can get through ironclad network security and/or application security by tricking someone with the keys, it shouldn’t be surprising that ransomware still affects so many businesses, despite the hundreds of millions of dollars such companies spend on cybersecurity per annum.

In a high-profile ransomware attack against MGM Resorts in 2023, hackers “were able to find an MGM Resorts employee on LinkedIn, impersonate them, and call the organization’s service desk to ask for access to their account… After initial entry, they gained administrator rights and proceeded to deploy a ransomware attack.” (source)

So, if cybersecurity can be so easily circumvented by stealing credentials — what can businesses do to mitigate the devastating effects of ransomware?

Backups Are Effective When Ransomware Gets Through

Within the Sophos dataset of ransomware victims (2023 State of Ransomware), 45% of ransomware victims with backups were able to recover within a week, getting their data back even faster than those who opted to pay ransoms (39%). Additionally, the median recovery cost for ransomware victims that used backups to recover their data ($375,000) was half the cost incurred by those who paid ransoms ($750,000).

As critical as backup & recovery teams are to ransomware resilience, they are so often left out of cyber resilience conversations and budgeting exercises.

Let’s dig in a bit more to understand why backups are so effective against ransomware.

Why Backups Matter More for Ransomware Than for Traditional Data Breaches

Before ransomware became the threat it is today, cybercriminals targeting businesses were mostly looking to steal data to sell. Therefore, their goal was often to steal valuable data and leave without a trace.

Ransomware is a different monstrosity. Because ransomware renders systems/data useless by malicious encryption (to help attackers extort their ransoms), the threat to the victim is twofold:

  • Loss of valuable/sensitive data that can be used to harm individuals/businesses or compromise intellectual property.

But also (and often more significantly):

  • Business downtime/disruption and a need to rebuild/restore critical applications and data – not to mention fallout from affected customers.

The latter threat cannot be overstated. When a victimized organization’s downtime affects its customers’ ability to conduct business (as in this incident), the total economic damage can be exponentially greater than with “traditional” data breaches, where there is very little downtime. Additionally, ransomware damages can cascade into mass churn (cancellations), lawsuits, and even regulatory penalties for the victimized organization(s).

This perfect storm is what could be brewing for UHG, which is now being investigated by The Department of Health & Human Services (HHS) for possible HIPAA violations and is facing at least six class action lawsuits over the data breach.

Importantly, paying a purported $22M ransom has not yet enabled UHG to recover all its data and/or systems, and recent reporting suggests a second ransomware group is now threatening to release stolen Change Healthcare data. Paying ransoms doesn’t always work out perfectly.

Back to Backups & UHG

While relevant details remain unknown regarding UHG’s backup operations and any backup monitoring tools they are using to ensure backup success, it appears likely (from their updates) that the delays in restoring their systems are due to either data loss (e.g., missing/old/corrupted backups, unprotected assets with zero backups) and/or delays in finding the right backups.

From a 3/8/2024 Reuters story (much earlier in the recovery process): “’The amount of disruption suggests they don’t have alternate systems at the ready,’ said Chester Wisniewski, a director at the cybersecurity firm Sophos. ‘It’s been 13, 14 days, and that is already longer than I’d expect for backup systems to be spun up.’”

When you consider that the recovery process is now approaching two months (with no end in sight), it seems even more likely that gaps in backup operations are responsible.

Gaps in backup operations shouldn’t be surprising when you consider that Change Healthcare was only acquired by UHG in 2021. It can take years for complex IT integrations to complete after M&A activity, and for data protection teams that could mean years of substandard backup success. (Learn how Bocada helps organizations ensure backup success and oversight during M&A integrations.)

Did You Know? “Nightmare” ransomware scenarios are one reason why proactive organizations automate their backup monitoring & reporting with Bocada. Bocada automates and centralizes data collection, reporting, and incident ticketing for 40+ popular backup products including Veeam, IBM Storage Protect, Commvault, Cohesity, NetBackup, Rubrik, Druva, Acronis, and many more. Merck, Regeneron, Thermo Fisher Scientific, MD Anderson Cancer Center, and OpenText are just a few enterprises using Bocada to mitigate the worst of potential ransomware incidents and simplify data protection compliance. Learn more about “Using Backups to Avoid Ransomware Payments [and Damages]”.


How do Cybersecurity and Backup & Recovery Work Together to Defeat Ransomware?

Businesses continue to spend more and more on cybersecurity ($219B worldwide in 2023, +12.1% compared to 2022) to prevent ransomware nightmares like the one UHG is going through.

Beyond reducing the incidence of ransomware getting into private networks/systems, cybersecurity investments can also help organizations detect ransomware attacks early, allowing attacks to be contained before they become widespread.

But once ransomware has gotten through defenses and started disrupting operations, there is often a “passing of the baton” to backup & recovery teams.

If backup & recovery teams have the necessary tools, processes, and resources to ensure cyber resilience, downed systems can be brought back up quickly. If not, the nightmares will persist.

After this shocking wakeup call that is affecting so many healthcare providers and patients, perhaps the integral link between cybersecurity and backup & recovery will begin to influence budget allocations and put better resources/tools in the hands of backup professionals who have for too long been asked to “do more with less.” One can only hope that it is not too little, too late.

In next month’s story, we’ll share several prominent examples of how leading data protection products are integrating with leading cybersecurity products to improve cyber resilience against ransomware attacks. Subscribe to the Bocada Insights newsletter to see more stories like this one.