Change Healthcare confirms Blackcat/AlphV behind ransomware attack

Medical insurance giant UnitedHealth Group confirmed Thursday that the cyberattack affecting the operations of its subsidiary Change Healthcare was carried out by the Blackcat/AlphV ransomware group.

After days of posting the same updates online about a “cyber security issue,” Change Healthcare said on Thursday the attack was “perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.”

“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare's systems,” they said. “We are actively working to understand the impact to members, patients and customers.”

Reuters first reported Monday that the cybercrime group, whose malware has been linked to high-profile attacks on targets like MGM Resorts in 2023, was responsible for the incident. Blackcat/AlphV posted Change Healthcare to its leak site on Wednesday, claiming to have stolen 6 terabytes of data, but subsequently removed the post.

The cyberattack began on February 21, prompting Change Healthcare to disconnect its systems. In a filing with the Securities and Exchange Commission, UnitedHealth Group originally attributed the attack to “a suspected nation-state associated cyber security threat actor.” Researchers have said Blackcat/AlphV is a Russian-speaking operation but have not linked it to any government.

Change Healthcare’s software serves as an intermediary between pharmacies and insurance companies, and the impacts of the disruption have been felt across the country. The company is used by the U.S. military to fill prescriptions, meaning all of those clinics worldwide have reportedly been affected.

“Military clinics and hospitals will continue to provide prescriptions through manual procedures until this issue is resolved,” the Military Health System said Wednesday.

The Blackcat/AlphV group was raided in an FBI-led international operation in December. According to the Cybersecurity and Infrastructure Security Agency, as of September 2023, the group had compromised over 1,000 entities and received nearly $300 million in ransom payments.

CISA this week posted an update to a previous advisory about the group, noting that after the December operation, leaders encouraged affiliates to target healthcare organizations.