What was initially identified as “connectivity issues” last week has spiraled into a nine day (and counting) cybersecurity saga for UnitedHealth Group’s Change Healthcare, and now it appears to involve one of the government’s most wanted hacking networks.
In an official update on their network status page, Change confirmed they were under attack “by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.”
“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare's systems,” the company wrote.
The involvement of Blackcat runs counter to UnitedHealth’s initial claims, which described the outage to customers on Feb. 21 as a connectivity issue before updating it to a “cyber security issue” a day later. In a filing to the SEC, the company said it suspected it was the victim of a “nation-state associated” group of hackers.
Change, which merged with UnitedHealth’s Optum in 2022, now believes Blackcat is behind the attack, and the hacker group itself apparently claimed credit on a network status page of their own, though one only accessible via the dark web. Brett Callow, a threat analyst at the cybersecurity company Emsisoft, posted a screenshot of the since-deleted post on social media in which the hackers claimed to have stolen six terabytes of Change data, though he cautioned against taking the thieves at face value.
“Cybercriminals, they’re not going to tell the truth,” Callow told CNBC. Exaggerations about the amount of data stolen could merely be a bargaining chip for Blackcat, he said.
Blackcat has been the subject of multiple advisories from the FBI and Department of Homeland Security since 2022 and prior to the Change hack, the Department of State had already announced a $10 million bounty for information leading to the arrest of the group’s leaders. Just this week, the Cybersecurity and Infrastructure Security Agency (CISA) updated a previous guidance about the methods used by Blackcat and warned the healthcare sector in particular to be vigilant.
“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” CISA wrote. “This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”
While Change’s tussle with Blackcat has been dramatic and certainly caused issues for providers and patients at the outset, UnitedHealth told CNBC that most pharmacies have found digital workarounds or offline processing systems to mitigate the attack’s impact. The company also said provider cash flows have not yet been impacted.
Evan joined TriMed in 2011, writing primarily for Health Imaging. Prior to diving into medical journalism, Evan worked for the Nine Network of Public Media in St. Louis. He also has worked in public relations and education. Evan studied journalism at the University of Missouri, with an emphasis on broadcast media.