UnitedHealth's Change Healthcare hack blamed on ALPHV/BlackCat

The cyberattack on UnitedHealth Group (UHG) subsidiary Change Healthcare has caused pharmacy delays across the US since last week. First identified as a suspected nation-state attack, it now appears the attack was carried out by the notorious ALPHV/BlackCat Ransomware gang, according to new reports.

The attack, which forced UHG’s health technology giant Change Healthcare to shut its system down on Wednesday, was carried out by the Russian-linked ransomware cartel, according to Reuters, who spoke with two people familiar with the matter on Monday.

Cybersecurity experts at Google’s Mandiant have been hired to investigate the breach, the two sources said. Mandiant confirmed in a statement it "has been engaged in support of the incident response" but declined to comment further.

Change Healthcare payment and billing management software is used by thousands of healthcare facilities, making it one of the largest health technology firms in the US. Change Healthcare also provides IT platforms for medical and patient services, having access to tens of millions of sensitive patient records and financial information.

Change Healthcare applications affected
Optum lists dozens upon dozens of applications and transactional services that are no longer accessible to clients since the attack.

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” Optum (a division of UHG) said in its latest update on the Change Healthcare attack Monday evening.

All three companies have been unable to provide an estimated time for restoration of systems, which Optum said were disconnected immediately "to prevent further impact."

“We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect,” Optum said.

"The disruption is expected to last at least through the day. We will provide updates as more information becomes available," Optum has stated at the end of every update.

Pharmacy back-log six days and counting

Meantime, large pharmacy and supermarket chains, including CVS, Walgreens, and Publix, have all confirmed a “significant backlog” of unprocessed prescriptions while frustrated customers shared their experiences on social media.

"I just left Publix pharmacy, and I asked about the #CyberAttack. The lady said they were having trouble with several insurances responding and that #BlueCross was completely down and not paying on any prescriptions. Thankfully, my prescription was ready and paid for yesterday," one user posted on X.

The American Pharmacists Association (APhA) put out a release on Friday addressing the issue.

“Change Healthcare is a technology company used by many pharmacies; their technology helps pharmacies know how much to charge consumers at the pharmacy counter,“ it said.

“As a result of this, many pharmacies throughout America could not transmit insurance claims for their patients. This is resulting in delays in getting prescriptions filled", the APha said.

UHG is the parent company of United Healthcare and one of the largest health insurance carriers in the US. It's Optum Health division acquired Change Healthcare in October 2022.

The company’s pharmacy program, Optum Rx, has more than 26,000 in-network and independent pharmacy’s as part of its roster.

ALPHV/BlackCat threatened to go after healthcare industry

ALPHV/BlackCat ransomware was first observed in 2021 and is known to operate as a ransomware-as-a-service (RaaS) model by selling malware subscriptions to criminals.

Known for its triple-extortion tactics, the gang was responsible for the September ransomware attacks on the Las Vegas casino giants MGM Resorts, as well as Caesars International, who is rumored to have paid a $15 million ransom to keep operations running.

The group has easily caused over $1 billion in lost corporate revenue in 2023, according to security insiders.

This past December, ALPHV/BlackCat had its website seized by the FBI, which it then unseized hours later in a back and forth cat and mouse game playing out on the dark web.

The US government now has a standing reward of up to $15 million for information leading to the arrest of any of its members or affiliates.

ALPHV/BlackCat $15 reward
US offers up to $15M reward for information leading to arrest of ALPHV/BlacKCat members.

As part of the December operation, the FBI released a decryptor tool to help at least 500 victims restore their previously encrypted networks, saving the companies approximately $68 million in ransom demands.

Although the FBI's short-lived tussle with the FBI put a dent in ALPHV’s operations, by January, the group appeared to have returned to “business as usual,” claiming numerous victims per day on its dark blog, including Canada's Trans-Northern Pipelines earlier this month.

Afterward, ALPHV threatened it would retaliate for the temporary takedown by extorting critical infrastructure providers and hospitals.

About UHG's original claims that the Change Healthcare attack was linked to a nation-state attacker, threat analyst Brett Callow said, "I am not aware of any links between ALPHV and a nation-state."

"As far as I am aware, they are financially motivated cybercriminals and nothing more," Callow said.

Other ALPHV/BlackCat victims include Clorox, Dole, NCR, Next Gen Healthcare, Seiko and the Mazars Group.