An ongoing cyber attack at U.S. health tech giant Change Healthcare that has disrupted hospitals and pharmacies across the United States over the past week was caused by ransomware, a TechCrunch investigation has found.
The healthcare technology giant blamed the BlackCat ransomware group for the cyberattack, said a healthcare executive with knowledge of the incident briefed by company executives over the phone.
Reuters first reported the news linking the cyber attack to BlackCat, citing two people familiar with the incident.
A Change Healthcare spokesperson did not respond to a request for comment.
BlackCat (also known as ALPHV) has not yet claimed responsibility for this cyberattack. Ransomware and extortion gangs typically release some of their victims' stolen data to demand a ransom. Ransomware attacks typically scramble victims' files and demand a ransom to receive the decryption key. In new cyberattacks, cybercriminals often steal victims' data before encrypting it.
It is not yet known whether patient data was stolen in the ransomware attack.
UnitedHealth Group, the parent company of Change Healthcare and the largest U.S. health insurance company, said in a government regulatory filing last week that it has a “suspected nation-state” threat actor in its systems. However, the cyber attack was not attributed to a specific organization. government or state.
The accuracy of attribution for the UHG cyberattack remains unclear, as cybersecurity researchers have not previously linked the BlackCat gang to any nation-state or government.
Change Healthcare is a leading U.S. healthcare technology company and one of the nation's largest prescription drug processors, processing prescriptions and bills for more than 67,000 pharmacies across the U.S. health care system. The healthcare technology giant processes 15 billion healthcare transactions annually. This equates to approximately one in three patient records in the United States.
Change Healthcare merged with healthcare provider Optum in 2022 as part of a $7.8 billion deal under UnitedHealth Group. The agreement gives Optum extensive access to Change Healthcare's patient records.
In total, UnitedHealth Group provides benefit plans to more than 53 million customers in the U.S. and an additional 5 million customers outside the U.S., according to its latest full-year earnings report. . Optum serves approximately 103 million customers in the United States.
The cyberattack against Change Healthcare began in the early hours of February 21 on the East Coast of the United States, causing widespread outages at pharmacies and medical facilities. Change Healthcare said it took many of its systems offline to remove the hacker from its systems.
Change Healthcare's incident tracker page shows nearly all of its customer-facing systems remain offline.
Hospitals, health care providers, and pharmacies are reporting an inability to fulfill or process prescriptions using patients' insurance.
The American Hospital Association (AHA), which represents more than 5,000 hospitals and health care providers, issued a notice last Friday asking its members to “disconnect from Optum until it independently determines it is safe to reconnect.” It warned of “serious cascading and destructive actions”. “Impact of Cyber Attacks”.
Columbia University, which operates one of New York's largest hospitals, on Friday directed employees to disconnect all systems from UnitedHealth Group, Change Healthcare and Optum and block access to their email domains. .
Tricare, which provides health insurance for active-duty members of the U.S. military, said in a statement that the cyber attack on Change Healthcare “affected all military pharmacies worldwide and some retail pharmacies domestically.” Ta.
BlackCat/ALPHV is said to have previously carried out cyberattacks targeting US healthcare giant Norton, news sharing site Reddit, and mortgage loan giant Fidelity National Financial.
Do you work at LoanDepot and know more about this case? You can contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849 or by email. You can also contact us via SecureDrop.