UnitedHealth confirms ransomware gang behind Change Healthcare hack amid ongoing pharmacy outages
American health insurance giant UnitedHealth Group has confirmed a ransomware attack on its health tech subsidiary Change Healthcare, which continues to disrupt hospitals and pharmacies across the United States.
“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” said Tyler Mason, vice president at UnitedHealth, in a statement to TechCrunch on Thursday.
“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network[s], on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers,” the spokesperson said.
“Based on our ongoing investigation, there’s no indication that except for the Change Healthcare systems, Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.”
In a post on its dark web leak site on Wednesday, ALPHV/BlackCat took credit for the cyberattack at Change Healthcare. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information. Ransomware gangs typically publish the names of their victims to their dark web leak sites often as a way to extort the victims into paying a ransom demand.
ALPHV/BlackCat’s claims could not be immediately verified. ALPHV took down the post claiming responsibility, sometimes an indication that the victim is negotiating with the hackers. UHG spokesperson Mason did not respond to a comment asking if the company paid a ransom or is in negotiations with the hackers.
TechCrunch confirmed on Monday that the ongoing cyberattack was linked to ransomware. Reuters first reported the news.
UHG-owned subsidiary Change Healthcare is a health tech giant and one of the country’s largest processors of prescription medications, handling billing for more than 67,000 pharmacies across the U.S. healthcare system. The healthcare tech giant’s website says it handles 15 billion healthcare transactions annually — or about one-in-three U.S. patient records.
Change Healthcare merged with U.S. healthcare provider Optum in 2022 as part of a $7.8 billion deal under UnitedHealth Group, the largest health insurance provider in the United States. The merger allowed Optum broad access to patient records handled by Change Healthcare.
UnitedHealth Group collectively provides over 53 million U.S. customers with benefit plans and another five million outside of the United States, according to its latest full-year earnings report. Optum serves about 103 million U.S. customers.
Pharmacy outages stall prescriptions
The cyberattack began on February 21 early on the U.S. East Coast, causing widespread outages at pharmacies and healthcare facilities. Change Healthcare said it took much of its systems offline to expel the hackers from its systems.
Change Healthcare’s incident tracker page shows most of its customer-facing systems remain offline.
Hospitals, healthcare providers and pharmacies across the United States have reported that they are unable to fulfill or process prescriptions through patients’ insurance.
Nebraska television outlet KLKN-TV reports that the majority of Nebraska hospitals are unable to verify patient insurance for inpatient stays, provide precise cost estimates, or process patient billing as a result of the ongoing cyberattack at Change Healthcare.
U.S. military health insurance provider Tricare said in a statement this week that the cyberattack at Change Healthcare is “impacting all military pharmacies worldwide and some retail pharmacies nationally.”
UnitedHealth previously attributed the cyberattack to an unspecified nation-state actor. Researchers have yet to determine a link between the ALPHV/BlackCat group and a government.
“The ransomware problem has been getting worse for years. If governments don’t get it under control quickly, critical services will continue to be disrupted, with potentially catastrophic consequences,” said Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch.
It’s not yet clear how the hackers gained access to Change Healthcare’s systems. In an interview with TechCrunch on Thursday, ConnectWise chief information security officer Patrick Beggs ruled out a recent vulnerability in his company’s products as the cause of the cyberattack at Change Healthcare.
“With all the subsidiaries including United all the way down to Change Healthcare, we have no record or no indication of any [managed service provider supporting them, or them themselves having ScreenConnect installed on their infrastructure,” Beggs told TechCrunch.
UnitedHealth made $22 billion in profit during 2023, according to its full-year earnings filed in January. According to the company’s most recent report on executive pay, UnitedHealth’s chief executive Andrew Witty received close to $21 million in total compensation during the previous fiscal year.
TechCrunch’s Carly Page contributed reporting.
Do you work at Change Healthcare, Optum or UnitedHealth and know more about the cyberattack? Get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.