Connect with us

Hi, what are you looking for?



Change Healthcare Confirms BlackCat Ransomware Attack

The Alphv/BlackCat ransomware gang says 6 terabytes of data were stolen from healthcare technology firm Change Healthcare.

Change Healthcare has confirmed that the Alphv/BlackCat ransomware group is responsible for the cyberattack that disrupted its systems for more than a week.

The incident occurred on February 21, when Change Healthcare announced that some of its services were experiencing disruptions, and was later described as a cyberattack blamed on a state-sponsored threat actor.

A subsidiary of health insurance and services company UnitedHealth Group, Change Healthcare handles billions of healthcare transactions per year, and the attack caused massive prescription processing outages across the country.

One week after the incident, the Alphv/BlackCat ransomware gang, which survived a law enforcement takedown attempt in December 2023, listed Change Healthcare on its Tor-based leak website, claiming the theft of 6 Tb of data.

According to the group, the stolen data includes various types of health records, payment information, personally identifiable information, insurance records, and source code, along with other types of information. Personal information pertaining to the US military was allegedly stolen as well.

In a regulatory filing with the US Securities and Exchange Commission, UnitedHealth Group confirmed that a cybercrime group and not a nation-state was responsible for the attack, without providing additional details.

“On February 22, 2024, we disclosed the occurrence of a cybersecurity incident. We continue to investigate the extent of the incident, which we believe was committed by cybercrime threat actors,” UnitedHealth Group noted.

As of February 29, Change Healthcare is no longer listed on the BlackCat leak site, which suggests that the healthcare technology giant has engaged in negotiations with the ransomware group.

Advertisement. Scroll to continue reading.

Updates published on a Change Healthcare status page show that the systems affected by the attack have not been restored yet and that the disruption is expected to continue as the company scrambles to safely bring them back online.

“We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue,” the latest entries on the status page read.

This week, the US government updated its advisory on BlackCat to warn that, since December 2023, the group has hit at least 70 organizations, the majority of which are healthcare entities. Prior to the law enforcement takedown operation, BlackCat affiliates were prohibited from targeting hospitals.

Responding to a SecurityWeek inquiry, UnitedHealth Group said it was still working on restoring the impacted systems, but noted that most of the pharmacies have implemented measures that mitigate the impact from the outage, while others have offline processing workarounds. 

The company noted that Optum Rx and UnitedHealthcare services have not been affected by the cyberattack.

“Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need. We also continue to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems. We appreciate the partnership and hard work of all of our relevant stakeholders to ensure providers and pharmacists have effective workarounds to serve their patients as systems are restored to normal. As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds,” UnitedHealth Group said.

In an updated statement to SecurityWeek, UnitedHealthcare has confirmed that the BlackCat ransomware gang is responsible for the attack.

“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as Alphv/BlackCat. We are actively working to understand the impact to members, patients and customers. Patient care is our top priority and we have multiple workarounds to ensure people have access to the medications and the care they need,” the company said.

*Updated with statements from UnitedHealth Group.

Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders

Related: Black Basta, Bl00dy Ransomware Exploiting Recent ScreenConnect Flaws

Related: LoanDepot Ransomware Attack Exposed 16.9 Million Individuals

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.


Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.