The Russia-based cybercriminals who attacked a UnitedHealth Group-owned company in February did not walk away from the endeavor empty-handed. 

“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” a UnitedHealth Group spokesperson confirmed with CBS News late Monday. 

The spokesperson did not disclose how much the health giant paid after the cyberattack, which shut down operations at hospitals and pharmacies for more than a week. Multiple media sources have reported that UnitedHealth paid $22 million in the form of bitcoin. 

“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” UnitedHealth CEO Andrew Witty said in a statement Monday.

UnitedHealth blamed the breach on a Russian ransomware gang known as ALPHV or BlackCat. The group itself claimed responsibility for the attack, alleging it stole more than six terabytes of data, including “sensitive” medical records, from Change Healthcare, which processes health insurance claims for patients who visited hospitals, medical centers or pharmacies.

The scale of the attack — Change Healthcare processes 15 billion transactions a year, according to the American Hospital Association —meant that even patients weren’t customers of UnitedHealth were potentially affected. The attack has already cost UnitedHealth Group nearly $900 million, company officials said in reporting first-quarter earnings last week.

Ransomware attacks, which involve disabling a target’s computer systems, have become increasingly common within the health care industry. The annual number of ransomware attacks against hospitals and other providers doubled from 2016 to 2021, according to a 2022 study published in JAMA Health Forum.

The Change Healthcare incident was “straight out an attack on the U.S. health system and designed to create maximum damage,”  Witty told analysts during an earnings call last week. Ultimately, the cyberattack is expected to cost UnitedHealth between $1.3 billion and $1.6 billion this year, the company projected in its earnings report.