UnitedHealth Confirms Ransomware Gang Behind Change Healthcare Hack

Source: TechCrunch | Published on February 29, 2024

Ransomware attack on UnitedHealth

American health insurance giant UnitedHealth Group has confirmed a ransomware attack on its health tech subsidiary Change Healthcare, which continues to disrupt hospitals and pharmacies across the United States.

“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” said Tyler Mason, vice president at UnitedHealth, in a statement to TechCrunch on Thursday.

“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network[s], on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers,” the spokesperson said.

“Based on our ongoing investigation, there’s no indication that except for the Change Healthcare systems, Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.”

In a post on its dark web leak site on Wednesday, ALPHV/BlackCat took credit for the cyberattack at Change Healthcare. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information. Ransomware gangs typically publish the names of their victims to their dark web leak sites often as a way to extort the victims into paying a ransom demand.

ALPHV/BlackCat’s claims could not be immediately verified. ALPHV took down the post claiming responsibility, sometimes an indication that the victim is negotiating with the hackers. UHG spokesperson Mason did not immediately respond to a comment asking if the company paid a ransom or is in negotiations with the hackers.

TechCrunch reported on Monday that the ongoing cyberattack was linked to ransomware, which was first reported by Reuters.

UHG subsidiary Change Healthcare is a health tech giant and one of the country’s largest processors of prescription medications, handling billing for more than 67,000 pharmacies across the U.S. healthcare system. The healthcare tech giant’s website says it handles 15 billion healthcare transactions annually — or about one-in-three U.S. patient records.

Change Healthcare merged with U.S. healthcare provider Optum in 2022 as part of a $7.8 billion deal under UnitedHealth Group, the largest health insurance provider in the United States. The merger allowed Optum broad access to patient records handled by Change Healthcare.

UnitedHealth Group collectively provides over 53 million U.S. customers with benefit plans and another five million outside of the United States, according to its latest full-year earnings report. Optum serves about 103 million U.S. customers.

The cyberattack began on February 21 early on the U.S. East Coast, causing widespread outages at pharmacies and healthcare facilities. Change Healthcare said it took much of its systems offline to expel the hackers from its systems.

Hospitals, healthcare providers and pharmacies have reported that they are unable to fulfill or process prescriptions through patients’ insurance. U.S. military health insurance provider Tricare said in a statement this week that the cyberattack at Change Healthcare is “impacting all military pharmacies worldwide and some retail pharmacies nationally.”

UnitedHealth previously attributed the cyberattack to an unspecified nation-state actor. Researchers have yet to determine a link between the ALPHV/BlackCat group and a government.

It’s not yet clear how the hackers gained access to Change Healthcare’s systems. In an interview with TechCrunch on Thursday, ConnectWise chief information security officer Patrick Beggs ruled out a recent vulnerability in his company’s products as the cause of the cyberattack at Change Healthcare.

“With all the subsidiaries including United all the way down to Change Healthcare, we have no record or no indication of any [managed service provider supporting them, or them themselves having ScreenConnect installed on their infrastructure,” Beggs told TechCrunch.