Change Healthcare has confirmed that the Alphv/BlackCat ransomware group is responsible for the cyberattack that disrupted its systems for more than a week.
The incident occurred on February 21, when Change Healthcare announced that some of its services were experiencing disruptions, and was later described as a cyberattack blamed on a state-sponsored threat actor.
A subsidiary of health insurance and services company UnitedHealth Group, Change Healthcare handles billions of healthcare transactions per year, and the attack caused massive prescription processing outages across the country.
One week after the incident, the Alphv/BlackCat ransomware gang, which survived a law enforcement takedown attempt in December 2023, listed Change Healthcare on its Tor-based leak website, claiming the theft of 6 Tb of data.
According to the group, the stolen data includes various types of health records, payment information, personally identifiable information, insurance records, and source code, along with other types of information. Personal information pertaining to the US military was allegedly stolen as well.
In a regulatory filing with the US Securities and Exchange Commission, UnitedHealth Group confirmed that a cybercrime group and not a nation-state was responsible for the attack, without providing additional details.
“On February 22, 2024, we disclosed the occurrence of a cybersecurity incident. We continue to investigate the extent of the incident, which we believe was committed by cybercrime threat actors,” UnitedHealth Group noted.
As of February 29, Change Healthcare is no longer listed on the BlackCat leak site, which suggests that the healthcare technology giant has engaged in negotiations with the ransomware group.
Updates published on a Change Healthcare status page show that the systems affected by the attack have not been restored yet and that the disruption is expected to continue as the company scrambles to safely bring them back online.
“We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue,” the latest entries on the status page read.
This week, the US government updated its advisory on BlackCat to warn that, since December 2023, the group has hit at least 70 organizations, the majority of which are healthcare entities. Prior to the law enforcement takedown operation, BlackCat affiliates were prohibited from targeting hospitals.
Responding to a SecurityWeek inquiry, UnitedHealth Group said it was still working on restoring the impacted systems, but noted that most of the pharmacies have implemented measures that mitigate the impact from the outage, while others have offline processing workarounds.
The company noted that Optum Rx and UnitedHealthcare services have not been affected by the cyberattack.
“Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need. We also continue to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems. We appreciate the partnership and hard work of all of our relevant stakeholders to ensure providers and pharmacists have effective workarounds to serve their patients as systems are restored to normal. As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds,” UnitedHealth Group said.
In an updated statement to SecurityWeek, UnitedHealthcare has confirmed that the BlackCat ransomware gang is responsible for the attack.
“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as Alphv/BlackCat. We are actively working to understand the impact to members, patients and customers. Patient care is our top priority and we have multiple workarounds to ensure people have access to the medications and the care they need,” the company said.
*Updated with statements from UnitedHealth Group.
Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders
Related: Black Basta, Bl00dy Ransomware Exploiting Recent ScreenConnect Flaws
Related: LoanDepot Ransomware Attack Exposed 16.9 Million Individuals