UnitedHealth Group has identified the culprit behind a cyberattack that has disrupted pharmacy operations for more than a week, the company said Thursday.
Change Healthcare, a claims processing network within UnitedHealth Group's Optum subsidiary, was the victim of a ransomware group known as BlackCat (also called ALPHV or Noberus), which infiltrated its systems last Wednesday. Drugstores, hospital and nursing home pharmacies, and other providers have been forced to work around the disarray since.
Related: Change Healthcare attack: What to know about cybersecurity.
“Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/BlackCat,” a UnitedHealth Group spokesperson said in a statement Thursday. The company previously attributed the incident to an unnamed foreign government.
UnitedHealth Group maintains that the breach is limited to Change Healthcare, not other parts of the company.
Ransomware groups typically demand payment in exchange for returning stolen data. Reuters and other news outlets reported Wednesday that BlackCat had published, then deleted, a message on the dark web claiming it seized millions of patient records. UnitedHealth Group declined to comment on these reports.
“They are one of the most prolific attackers on healthcare,” John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said Monday. “They just said, ‘Gloves are off. We're going to attack hospitals, nuclear plants, everything.’”
The FBI, the Homeland Security Department's Cybersecurity and Infrastructure Security Agency, and the Health and Human Services Department issued a notice Tuesday warning about ransomware attacks, particularly those associated with BlackCat and healthcare companies.
"Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the joint cybersecurity advisory says. "This is likely in response to the ALPHV BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December."
That month, the Justice Department announced that federal law enforcement agencies had obtained BlackCat's decryption keys and restored some victims' systems. The ransomware group allegedly was behind a breach at Grand Blanc, Michigan-based McLaren Health Care in September that exposed information about 2.5 million patients.
UnitedHealth Group is working with law enforcement agencies and cybersecurity companies Mandiant and Palo Alto Network to resolve the breach, restore the Change Healthcare systems and assess the damage, the spokesperson said.
