em360tech image

UnitedHealth has confirmed that the BlackCat ransomware gang was behind last week's cyber attack on Change Healthcare which impacted pharmacies across the US.

The health insurance giant revealed in a statement on Thursday that the Russia-based ransomware and extortion gained access to the healthcare systems of its subsidiary, Change Healthcare, to cause disruption across its pharmacies and potentially steal patient data. 

“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” said Tyler Mason, vice president at UnitedHealth, in a statement to TechCrunch on Thursday.

“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” said Tyler Mason, vice president at UnitedHealth, in a statement to TechCrunch on Thursday.

“Based on our ongoing investigation, there’s no indication that except for the Change Healthcare systems, Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.”

BlackCat takes credit 

UnitedHealth said it ts experts were working with law enforcement authorities and third-party consultants to gauge the impact on its customers and patients. 

It previously attributed the cyber attack on Change Healthcare to an unspecified nation-state actor but did not specify which cyber gang it believed was behind the attack. Nation-state actors are governments targeting other countries for various reasons, including espionage or disrupting critical infrastructure. 

A recent example of this was the attack on the Ukrainian mobile network operator Kyivstar, which saw Russia-backed hackers disrupt one phone line for millions of people across the country. Kyivstar’s CEO Oleksandr Komarov said the attack was a result of Ukraine’s war with Russia at the time. 

It is not yet known if any data was stolen during the security breach, but there is a strong possibility that sensitive patient information may be in the hands of BlackCat if we are to look at the previous activity of the extortion group. The sensitivity of health data makes it of high value to cybercriminals.

BlackCat took credit for the cyber attack at Change Healthcare on Wednesday, claiming to have stolen millions of Americans’ sensitive health and patient information. In a statement published on their dark web leak site, the gang allegedly stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc."

blackcat statement change healthcare cyber attack

"Being inside a production network one can imagine the amount of critical and sensitive data that can be found. The data relates to all Change Health clients that have sensitive data being processed by the company," BlackCat said.

The ransomware gang claims that they stole source code for Change Healthcare solutions and sensitive information belonging to many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and tens of other healthcare insurance providers.

Ransomware gangs like BlackCat typically publish the names of their victims to their dark web leak sites often as a way to extort the victims into paying a ransom demand. BlackCat’s claims can still not be verified, however. The gang took down the post claiming responsibility, sometimes an indication that the victim is negotiating with the hackers. 

Change Healthcare cyber attack disruption continues

UnitedHealth’s subsidiary, Change Healthcare, is one of America’s largest processors of prescription medications, handling billing for more than 67,000 pharmacies across the U.S. healthcare system.

The healthcare tech giant’s website says it handles 15 billion healthcare transactions annually — or about one in 3 US patient records.

Collectively, UnitedHealth provides over 53 million U.S. customers with benefit plans and another five million outside of the United States, according to its latest full-year earnings report. Optum serves about 103 million U.S. customers. Hospitals, healthcare providers and pharmacies have reported that they are unable to fulfil or process prescriptions through patients’ insurance.

Cyber attacks on healthcare institutions can been devastating for those impacted. Earlier this month, the French medical payment systems Viamedis and Almerys were targeted in a ransomware attack that exposed over half of the French population's data

Meanwhile, UK's NHS was also targeted in 2022. In that attack, medical staff were forced to keep patient details on scraps of paper for several months as the attack shut down the service's IT systems. 

Erfan Shadabi, Cybersecurity Expert at comforte AG, believes the cyber attack on Change Healthcare should be a wake-up call for organizations to develop and implement cyber incident response plans, enabling swift action and minimizing damage during a breach. 

Read: Biggest Cyber Attacks in History

"In light of the Change in Healthcare cybersecurity incidents, it's imperative for organizations to prioritize the development and implementation of robust cyber incident response plans. 

“These plans serve as critical frameworks for swift and effective action in the event of a breach, minimizing the potential damage and ensuring business continuity," Shadabi told EM360Tech.