Change Healthcare's Ransomware Attack Costs Edge Toward $1 Billion So Far (theregister.com) 17
UnitedHealth, parent company of ransomware-besieged Change Healthcare, says the total costs of tending to the February cyberattack for the first calendar quarter of 2024 currently stands at $872 million. From a report: That's on top of the amount in advance funding and interest-free loans UnitedHealth provided to support care providers reeling from the disruption, a sum said to be north of $6 billion. In its results for the quarter ended March 31, filed today, UnitedHealth stated that the total impact on the company from the attack in Q1 was $0.74 per share, which is expected to rise to a sum between $1.15 and $1.35 per share by the end of the year.
The remediation efforts spent on the attack are ongoing, so the total costs related to business disruption and repairs are likely to exceed $1 billion over time, potentially including the reported $22 million payment made to the ALPHV/BlackCat-affiliated criminals behind the attack. It's a charge that eclipsed that of casino group MGM, which didn't pay a ransom following an attack on its systems last year, and which faces recovery costs of $100 million to rebuild its systems and paying for the fallout from outages, operational disruptions, allegedly leaked data and more.
The remediation efforts spent on the attack are ongoing, so the total costs related to business disruption and repairs are likely to exceed $1 billion over time, potentially including the reported $22 million payment made to the ALPHV/BlackCat-affiliated criminals behind the attack. It's a charge that eclipsed that of casino group MGM, which didn't pay a ransom following an attack on its systems last year, and which faces recovery costs of $100 million to rebuild its systems and paying for the fallout from outages, operational disruptions, allegedly leaked data and more.
Re: (Score:1)
Re: Here's an idea (Score:2)
Re: (Score:1)
Oh yes; lets give people who often have the greatest access and knowledge of vulnerabilities and flaws in critical that could fetch big money on the black market to people who might need drug money and are not motivated enough to put on button down short and slacks for a paycheck!
That sounds like a great plan - oh wait its not and any actual security professional could tell you that.
Re:Here's an idea (Score:4, Interesting)
There are lots of smart people available to work on security, but they won't put up with stupid rules
I mean yeah, if you want to pay peanuts you're gonna have to start tapping the slacker/druggie labor pool. You'll also still probably get exactly what you're paying for. Or, you could just pay decent salaries and skilled people who have no issue with conforming to corporate culture will beat a path to your door.
Re: (Score:2)
Sure, and you can also insist that employees must do jumping jacks while singing praises to the CEO. But stupid rules cost extra, and for self-respecting people quite a bit extra. But if you want stupid rules and to only pay a little extra, you have to start tapping the pool of people who love asskissing and have no self-respect, but you better hope their boss isn't an idiot who asks for convenience at the cost of security.
Re: (Score:2)
I bet the causes were Security 101 lapses rather than rocket science failure. They need checks and balances, not necessarily more gurus. They can rent a guru for short-term projects when needed.
Re: (Score:3)
It would be better if this company didn't exist at all. It's an obvious sign that the US for-profit healthcare industry is horribly inefficient and over bloated when there's actually a need for a middleman between the insurance companies and the healthcare providers.
How's that IT security budget again? (Score:2)
I see it too often. Companies that flirt with disaster, they remind me of 20 year old kids who think they're invincible and the 'bad things' just happen to other people and take risks with security.
Old out data servers, unpatched systems, not spending anything if they can avoid it for IT infrastructure and security.
The execs that got the bonus for being thrifty likely have left the scene before the other shoe drops kinda thing.
Maybe do not fuck up in the first place next time? (Score:2)
IT security, BCM and DR are a thing you know. Just not at Change Healthcare it seems.
If a bank leaves open their vault overnight and gets robbed, nobody would think the bank a victim. Same thing happens to the IT of a large enterprises, and suddenly the fuckups are "victims". No. They are not. They fyucked up and tried to do things on the cheap. They were at the very least grossly negligent.