Originally, this cyberattack on UnitedHealth subsidiary Change Healthcare was reported as a minor event affecting a few pharmacies in Michigan's Thumb region. It is actually far more extensive and is now crippling pharmacies across the nation:
https://www.healthcaredive.com/news/change-cyberattack-unitedhealth-nation-state/708328/
UnitedHealth suspects ‘nation-state’ behind Change cyberattack
Pharmacies and providers nationwide are struggling to process prescriptions following the attack.
Dive Brief:
- UnitedHealth suspects a “nation-state” is behind the cyberattack on its revenue cycle management subsidiary Change Healthcare, the healthcare conglomerate said in a filing with the Securities and Exchange Commission on Thursday.
- Change reported disruptions to its applications on Wednesday before taking its systems offline, citing an “outside threat.” The company handles 15 billion payment transactions each year, and is one of the largest commercial prescription processors in the U.S.
- Pharmacies and other providers nationwide — including military facilities — have reported struggles processing prescriptions as a result of the outage. On Thursday, the American Hospital Association urged hospitals to disconnect from Optum, the UnitedHealth division that includes Change, and check their systems following the attack.
Dive Insight:
Hackers associated with nation-states are to blame for some of the most disruptive cyberattacks in the U.S., including in the healthcare industry.
A series of cyberattacks starting in 2014 against health insurer Anthem, now called Elevance, led to the largest U.S. health data breach in history, exposing the information of almost 79 million people. A cyber group affiliated with China was behind the attack, according to the U.S. government.
Nation-state adversaries including China, Russia, North Korea and Iran pose an “elevated threat” to national security, according to the Cybersecurity and Infrastructure Security Agency.
Attacks from nation-states are aimed at prolonged network intrusion, allowing for espionage, data theft and system disruption, according to CISA.
As geopolitical unrest increases, including from Russia’s invasion of Ukraine and the Israel-Hamas war, so does the threat of cyberattacks in an industry where operational downtime can cause steep financial losses and contribute to worsening patient health, experts say.
UnitedHealth did not identify the country it believes is behind Change attack. When asked for more information, a spokesperson for the company shared Change’s original statement from Wednesday.
It’s hard to determine which nation-state could be behind the attack without knowing more, according to Deron Grzetich, head of cybersecurity at consultancy West Monroe. But the perpetrator likely wasn’t North Korea, which uses ransomware in most of its attacks to gather funds for the country, Grzetich said in an interview.
The cyberattack is isolated to Change, and UnitedHealth’s other operations are unaffected, according to the company.
Change, one of UnitedHealth’s numerous subsidiaries, is one of the largest health technology companies in the U.S., providing payment, clinical and patient engagement services for health insurers, providers and pharmacies.
One in three patient records in the U.S. are “touched by our clinical connectivity solutions,” according to Change’s website.
The company provides technology services for more than 67,000 pharmacies. After Change took down its systems, many pharmacies have been unable to verify patients’ insurance coverage, determine copayment amounts or perform other operations necessary to process prescriptions.
Military healthcare program Tricare says on its website that military clinics and hospitals will be providing prescriptions manually until the cyberattack is resolved.
Other pharmacies that have said they’re having difficulty or are unable to process prescriptions include Scheurer Health in Michigan; 22nd Medical Group in Kansas; and Knight’s Pharmacy in Kentucky.
“Due to the sector wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health care technologies and clinical authorizations provided by Optum across the health care sector,” the AHA said in a Thursday notice to its members.
UnitedHealth is working to restore systems and resume normal operations “as soon as possible, but cannot estimate the duration or extent of the disruption at this time,” the SEC filing says.
As of Friday morning, many of Change’s log-in systems were still down.
West Monroe’s Grzetich said it’s interesting that a nation-state is behind the attack, given an unclear motivation for wanting to disrupt U.S. pharmacy functions. The country could be after data to help its intelligence operations, he said.
Change, which UnitedHealth acquired for $13 billion in 2022, is the latest victim of cybercriminals targeting the healthcare sector.
Cyberattacks against healthcare organizations have been mounting, with recent high-profile attacks against Lurie Children’s Hospital in Chicago and Ardent Health Services, a multistate hospital operator. Experts say healthcare organizations may be more vulnerable to cyberattacks than organizations in other industries, due to decades of underfunding of cybersecurity protocols.
This hack is becoming a really big story as it continues to disrupt pharmacies:
UnitedHealth hackers say they stole 'millions' of records, then delete statement
By Raphael Satter - February 28, 2024WASHINGTON, Feb 28 (Reuters) - In a message posted to, and then quickly deleted from their darknet site, the hackers blamed for striking the UnitedHealth Group said on Wednesday they stole millions of sensitive records, including medical insurance and health data, from the company.
In its claim of responsibility, the group known as "Blackcat" or "ALPHV" posted a statement to its site saying it had stolen 8 terabytes of data from UnitedHealth, according to screenshots of the posting shared online by cybersecurity researchers.
UnitedHealth, whose Change Healthcare unit was at the center of the breach, said it was aware of the statement and was "looking into it."Blackcat said it stole data from partners including Medicare, the U.S. military medical health agency Tricare, CVS Health (CVS.N), opens new tab and other companies.
The claim was swiftly removed without explanation. Reuters attempts to reach the hackers have been so far unsuccessful and the news agency had no immediate way to verify the claims, which weren't backed up with any data or screenshots.
The Centers for Medicare and Medicaid Services did not immediately return a message seeking comment. Tricare, which has said all of its military pharmacies were impacted by the hack, also did not immediately return a message seeking comment.In a statement, CVS said it was aware of the hackers' statement but that, "at this time, Change Healthcare has not confirmed whether any CVS Health member or patient information that it holds, including CVS Caremark information, was impacted by this incident."
Brett Callow, a threat analyst with cybersecurity firm Emsisoft, said there could be several reasons why the hackers would make an inflamatory statement and then delete it.
One possibility was that the hackers had entered ransom negotiations with UnitedHealth, or that the talks had entered a new phase. It was also possible the hackers were trying to gin up attention in a bid to force the healthcare company to come to the negotiating table. Or maybe the hackers just thought the better of it and "decided they didn't want so much attention at this particular point in time."
Blackcat has a history of disruptive hacks, including attacks on MGM Resorts International and Caesars Entertainment that snarled operations at hotels and casinos last year.
UnitedHealth now blames a Russian cybergang known as Black Cat, or AlphV, for the attack, but the FBI supposedly dismantled this gang in December. Someone is lying:
https://www.npr.org/2024/03/01/1235255804/pharmacies-ransomware-prescriptions-unitedhealth
Health care company ties Russian-linked cybercriminals to prescriptions breach
By Jenna McLaughlin - March 1, 2024A ransomware attack is disrupting pharmacies and hospitals nationwide, leaving patients with problems filling prescriptions or seeking medical treatment.
On Thursday, UnitedHealth Group accused a notorious ransomware gang known as Black Cat, or AlphV, of hacking health care payment systems across the country.
Last week, the top health insurance company disclosed that its subsidiary, Optum, was impacted by a "cybersecurity issue," leading to its digital health care payment platform, known as Change Healthcare, being knocked offline.
As a result, hospitals, pharmacies and other health care providers have either been unable to access the popular payment platform, or have purposefully shut off connections to its network to prevent the hackers from gaining further access.
UnitedHealth says that as of Monday it estimated that more than 90% of 70,000 pharmacies in the U.S. have had to change how they process electronic claims as a result of the outage.
While the company has set up a website to track the ongoing outage, reassuring customers that there are "workarounds" to ensure access to medications, the outage could last "weeks," according to a UnitedHealth executive who spoke on a conference call with cybersecurity officers, a recording of which was obtained by STAT News.
After hiring multiple outside firms, including top cybersecurity companies Mandiant and Palo Alto Networks, UnitedHealth released its conclusion that BlackCat, or AlphV, is behind the breach, a conclusion bolstered by the group itself originally claiming credit on its dark web leak site. The post has since been taken down.
"Hacked the hackers"
However, the fact that the ransomware gang may be responsible is also something of a twist.
Just a few months ago, the FBI broke into the groups' internal servers, stealing information about decryption tools for victims and seizing control of several of its websites. The U.S. government celebrated the disruption, a major operation with multiple foreign governments involved. "In disrupting the Black Cat ransomware group, the Justice Department has once again hacked the hackers," said Deputy Attorney General Lisa Monaco in a news release.
Black Cat's seeming ability to regroup and breach one of the largest health care entities in the U.S. demonstrates how challenging it is to hamper these groups long-term.
Cybercriminals frequently reassemble after experiencing setbacks, particularly when their operators are located in countries whose law enforcement agencies are lax about prosecuting their crimes.
That's especially true in Russia. While researchers have not definitively tied BlackCat to Russia or its government, they've concluded it is a Russian-speaking group. U.S. intelligence officials have spoken frequently about the Russian government's willingness to turn a blind eye to cybercrime, in exchange for the hackers' service in intelligence operations. That has been especially true during the war in Ukraine.
In addition to the health care breach, Black Cat also recently claimed to have stolen classified documents and sensitive personal data about Department of Defense employees from U.S. federal contractors.
WIRED reports more from this story's cyber shadows - lawbreakers, law enforcement, and legal data collectors.
Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment
The transaction, visible on Bitcoin's blockchain, suggests the victim of one of the worst ransomware attacks in years may have paid a very large ransom.The ransomware attack targeting medical firm Change Healthcare has been one of the most disruptive in years, crippling pharmacies across the US—including those in hospitals—and leading to serious snags in the delivery of prescription drugs nationwide for 10 days and counting. Now, a dispute within the criminal underground has revealed a new development in that unfolding debacle: One of the partners of the hackers behind the attack points out that those hackers, a group known as AlphV or BlackCat, received a $22 million transaction that looks very much like a large ransom payment.
On March 1, a Bitcoin address connected to AlphV received 350 bitcoins in a single transaction, or close to $22 million based on exchange rates at the time. Then, two days later, someone describing themselves as an affiliate of AlphV—one of the hackers who work with the group to penetrate victim networks—posted to the cybercriminal underground forum RAMP that AlphV had cheated them out of their share of the Change Healthcare ransom, pointing to the https://www.blockchain.com/explorer/addresses/btc/14Q5xgBHAkWxDVrnHautcm4PPGmy5cfw6b" }">publicly visible $22 million transaction on Bitcoin's blockchain as proof.
A spokesperson for Change Healthcare, which is owned by UnitedHealth Group, declined to answer whether it had paid a ransom to AlphV, telling WIRED only that “we are focused on the investigation right now.”
Both Recorded Future and TRM Labs, a blockchain analysis firm, connect the Bitcoin address that received the $22 million payment to the AlphV hackers. TRM Labs says it can link the address to payments from two other AlphV victims in January.
If Change Healthcare did pay a $22 million ransom, it would not only represent a huge payday for AlphV, but also a dangerous precedent for the health care industry, argues Brett Callow, a ransomware-focused researcher with security firm Emsisoft. Every ransomware payment, he says, both funds future attacks by the group responsible and suggests to other ransomware predators that they should try the same playbook—in this case, attacking health care services that patients depend on.
“If Change did pay, it's problematic,” says Callow. “It highlights the profitability of attacks on the health care sector. Ransomware gangs are nothing if not predictable: If they find a particular sector to be lucrative, they’ll attack it over and over again, rinse and repeat.”
The self-described AlphV affiliate who first posted evidence of the payment on RAMP, and who goes by the name “notchy,” complained that AlphV had apparently collected the $22 million ransom from Change Healthcare and then kept the entire sum, rather than share the profits with their hacking partner as they had allegedly agreed. “Be careful everyone and stop deal with ALPHV," notchy wrote.
That affiliate hacker also wrote that in their penetration of Change Healthcare's network, they had accessed the data of numerous other health care firms partnered with the company. If that claim is accurate, Recorded Future's Smilyanets points out, it creates the additional risk that the affiliate hacker still possesses sensitive medical information. Even if Change Healthcare did pay AlphV, the hacker affiliate could still demand additional payment or leak the data independently.“The affiliates still have this data, and they’re mad they didn’t receive this money,” says Smilyanets. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”
As ransomware payments go, $22 million would represent a remarkably profitable score for AlphV. Only a relatively small number of ransoms in the history of ransomware, such as the $40 million payment made by the financial firm CNA to the hackers known as Evil Corp, have been so large, says Emsisoft's Callow. “It’s not without precedent, but it’s certainly very unusual,” he says.
Regardless of whether Change Healthcare is confirmed to have paid that ransom, the attack shows that AlphV has pulled off a disturbing comeback: In December, it was the target of an FBI operation that seized its dark web sites and released decryption keys that foiled its attacks on hundreds of victims. Just two months later, it carried out the cyberattack that paralyzed Change Healthcare, triggering an outage whose effects on pharmacies and their patients have now stretched well beyond a week. As of last Tuesday, AlphV listed 28 companies on the dark web site it uses to extort its victims, not including Change Healthcare.
That site has now gone offline. As of Tuesday morning, it displayed what appeared to be a law enforcement seizure notice, but security researcher Fabian Wosar points out that the notice https://twitter.com/fwosar" }">seems to have been copied from AlphV's last takedown. The reason for the group's disappearance—whether due to another law enforcement operation or AlphV's attempts to dodge its own cheated affiliates—is unclear. Ransomware trackers say AlphV has disappeared and rebranded several times before. Earlier incarnations under the name BlackCat, BlackMatter, and Darkside were all more or less the same group, security researchers note.
In fact, the hackers working under that Darkside handle were responsible for the 2021 Colonial Pipeline ransomware attack that triggered the shutdown of gas transportation across the Eastern Seaboard of the US and resulted in a brief fuel shortage in some East Coast cities. In that case, too, the victims paid the hackers' ransom. “It was the hardest decision I've made,” Colonial's CEO Joseph Blount later told a US congressional hearing.
Now, it seems, some of the same hackers may have forced yet another company to make that same hard decision.
Update 3/4/2024, 1:50 pm EST: Included additional contextual details about AlphV and related ransomware attacks.
Updated 3/5/2024, 10:30 am EST to note that AlphV's dark web site now displays what appears to be a law enforcement takedown message.
https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/
Andy Greenberg is a senior writer for WIRED, covering hacking, cybersecurity and surveillance. He’s the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His last book was Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. His books and excerpts from them published in WIRED have won awards including two Gerald Loeb Awards for distinguished business and financial reporting, a Sigma Delta Chi Award from the Society of Professional Journalists and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. Greenberg works in WIRED's New York office.
The Change Healthcare hack has become very expensive. Who pays for it?
UnitedHealth says advanced over $2 bln in payments to providersBy Bhanvi Satija and Sriparna Roy in Bengaluru; March 18, 2024
(Reuters) - UnitedHealth Group (UNH.N) said on Monday it has advanced payments of over $2 billion so far to provide assistance to healthcare providers, financially affected following a cybersecurity attack on its technology unit, Change Healthcare.
The company said it will start releasing its medical claims software on Monday and it will become available to "thousands of customers" over the next several days.
Change Healthcare, which was hit by a cyberattack on Feb. 21, is a vital lynchpin in the system for making and clearing insurance claims as it processes about 50% of medical claims in the United States for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.
UnitedHealth last week restored its payments processing and pharmacy network services after days of disruption following the cyberattack.
The company said on Monday it will continue restoration of remaining services until all customers have been connected.
UnitedHealth said it has suspended paperwork required to get approval for insurance coverage for most outpatient services, as well as review of inpatient admissions for government-backed Medicare Advantage plans to help those impacted.
What a mess.
Morning Brew gave this synopsis one week ago:
Quote: “We’re hemorrhaging money.”
Thousands of smaller medical practices, like one outside Philly managed by Catherine Reinheimer, are still unable to process insurance payments more than two weeks after a cyberattack disrupted the computer networks of Change Healthcare, the largest billing and payment clearinghouse in the US, CNN reported. Change is part of UnitedHealth Group, which says it is still weeks away from restoring the system that remits payments to providers, some of whom have been forced to take out loans to stay afloat. Experts say the US healthcare system is losing $100 million each day from the disruption.
One month after the attack, Change Healthcare brings their AWS account back on line:
Change Healthcare restores Amazon cloud services after cyberattack
By Giles Bruce - March 21, 2024Change Healthcare said it has reinstated Amazon cloud services for two of its platforms a month into a cyberattack against the company.
The UnitedHealth Group and Optum subsidiary said March 20 it restored Amazon Web Services from backups for Assurance, a claims and remittance management program, and claims clearinghouse Relay Exchange. Change said it rebuilt authentication services for the solutions on a new network with the help of cybersecurity firms Palo Alto Networks and Mandiant, a Google subsidiary. The company said it is also testing the security of the external-facing parts of those applications.
Change took IT systems offline Feb. 21 after experiencing a ransomware attack, disrupting payment and pharmacy services for hospitals, health systems and healthcare organizations across the country. The company has since been incrementally restoring its applications. Cybersecurity experts have told Becker's that cyberattacks of this magnitude can last at least a month.
"We have taken every precaution and safety measure and implemented several rounds of security protocols — both internally and with our third-party partners — to ensure complete confidence in the platform," Change said March 20. "As we've stated, our Optum, UnitedHealthcare and UnitedHealth Group systems remain safe and were not affected by this issue. We regularly scan those environments and continue to validate they were not impacted. Anything currently functioning means we have full confidence in it."
This has to be the most costly cyberattack in healthcare history.
Many lawsuits are now being filed against UnitedHealth Group in the largest healthcare cyberattack to date, but the pain continues for patients who use their services:
Drug delays, skyrocketing prices an ongoing effect of massive cyberattack
By Justin P. Hicks | March 22, 2024Frustrated patients in Michigan and around the country have had to pay out of pocket for medicine for chronic diseases and other illnesses or go without in the fallout from a cyberattack of a major health care company.
The tech company, Change Healthcare, has restored access to many of its systems in the weeks since the Feb. 21 attack announcement. However, some services remained down as of Thursday, March 21, including the system that processes discount/savings cards to bring down drug prices for patients.
Brian Feinman is one such patient.
The 53-year-old former nurse from Grass Lake typically pays $25 per month for his Type 2 diabetes medication, thanks to a savings card program offered by Ozempic manufacturer Novo Nordisk.
But in the aftermath of the cyberattack against Tennessee-based Change Healthcare, Feinman has had to choose between paying $953 for his weekly Ozempic injections or going without.
“I went to fill my prescription in February, and they told me they couldn’t run my card,” Feinman told MLive. “I’ve missed two doses now. It’s definitely going to affect both my A1C (blood sugar level) and my weight loss.”
On Feb. 21, Change Healthcare announced it had been the target of a cyberattack. To protect its partners and patients, the company said it took immediate action to disconnect its systems.
The event had negative effects on pharmacies and health care providers that rely on those systems for things like claims transactions and processing, patient access and financial clearance, and provider payments.
The American Hospital Association called the cyberattack “the most significant and consequential incident of its kind against the U.S. health care system.” President and CEO Rick Pollack said the attack made it harder for hospitals to provide patient care, fill prescriptions, submit insurance claims, and receive payment for services.
Corewell Health, one of the state’s largest health systems, said Wednesday, March 20, that it remained disconnected from some of Change Healthcare’s services. However, functions like e-prescribing and most claims have resumed, reducing the impact on patients.
Local pharmacists said for a while they couldn’t verify what a customer’s insurance would cover for their medication, or how much of a copay was necessary at the transaction point. Patients had the option of paying out of pocket and pursuing reimbursement later, if they could afford the up-front cost.
“Michigan Pharmacists Association is aware of reports that the Change Healthcare outage continues to present a challenge to Michigan pharmacies and their patients,” said Mark Glasper, the association’s CEO.
“Systems used to identify patient insurance and coordinate coverage of prescriptions are, in some locations, still non-operational or inconsistently usable. It’s also important to understand these issues are not pharmacy driven, rather originating from a third-party institution. Michigan pharmacy personnel continue to work within their power to provide medications at affordable costs through all methods still at their disposal.”
While some system functions have been restored, others were still being worked on as of Thursday. Change Healthcare said it had begun testing and reestablishing connectivity to its claims network and software in a phased manner beginning the week of March 18.
“We continue to make significant progress in restoring the services impacted by this cyberattack,” said Andrew Witty, CEO of UnitedHealth Group, in a prepared statement. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”
One area that was still a major issue as of Wednesday was the system for processing copay coupon and discount cards like the one Feinman uses for his Ozempic.
Feinman said he’s been trying daily for at least four weeks to secure another pen using his card. He’s visited his local CVS Pharmacy and calling corporate channels for both CVS and Change Healthcare in search for answers, but to no avail.
“CVS basically says try every day to see if they can run the card,” he said. “The reps at CVS feel bad but there’s nothing they can do. They say I can pay it and mail my receipt for reimbursement, but I don’t have almost $1,000 for just one pen.”
When asked about the issue, a spokesperson for CVS provided a statement that read: “We are aware of Change Healthcare’s restoration timeline and their ongoing efforts to reestablish connectivity to its systems. Our business continuity plans remain in place to mitigate any disruptions, and we remain committed to ensuring ongoing access to care for our patients and members. We are monitoring the situation and will update our plans as necessary.”
Feinman had been on Ozempic for about 4 months. For the first month or so, he had to go through some uncomfortable side effects like nausea, diarrhea and abdominal pain.
Since then however, he said he’s felt good. He’s lost 30 pounds, and his A1C went from about 8% to 5.3%, “which is fantastic for me.” A normal A1C level is below 5.7%, while a level over 6.5% indicates diabetes.
Having to skip doses has Feinman concerned that he’ll see that progress fade and have to go through the side effects again when he finally does get back on track.
“I know I’m not the only one with this major issue,” he said.
I featured Direct Primary Care (DPC) in the MHF blog a few years ago because it's one of the great innovations of modern healthcare.
Since then, DPC docs have started their own blog. Here, one of them sounds off on the tsunami effect of this cyper attack on their fellow clinicians.
Note the particular greatness of the DPC model in this context: it grants immunity to third-party cyber attacks.
https://dpcnews.com/opinion/dpc-says-keep-the-change-we-dont-need-it/
The healthcare headlines have been dominated these past few weeks with the cyber attack on United Healthcare’s clearinghouse, Change Healthcare. Unfortunately, the national headlines have not been giving this massive story the attention it deserves.
If you’re a DPC doc, this cyber attack probably hasn’t affected you much. However, if you’re still in the fee-for-service world, especially as a small private practice, this could be your death knell.
If you’re not up to speed, Change Healthcare was the target of a massive cyber attack. This attack has halted their ability to process claims. Therefore, they have not paid out their daily average of $4.1 billion to the physicians and other healthcare providers, such as pharmacies in hospitals, in nearly 3 weeks.
Despite not paying their contracted providers, they are still collecting insurance premiums. Let that sink in.
Now, cyber attacks are our new reality. As a small business, we may someday be the victim of a cyber attack. However, what enrages me about this situation is the lack of support and empathy that UHC is offering to the healthcare providers who make their business possible.
They are offering a meager $4000 loan (LOAN!) to some offices that submit monthly claims as high as $500,000. Statements reassuring providers that they will be made whole are nowhere to be found.
It has gotten so bad, in fact, that Medicare is stepping in to help support provider offices that have been devastated by this lack of payment. Our tax dollars are now back at work to clean up the mess that is being fueled by corporate greed.
UHC has the money, they’re clearly still accepting premiums. UHC also has historical data of how much they pay these practices month over month. At a minimum, I would expect that they would float these practices their average monthly payment to ensure no disruption to patient care until they can resolve this issue.
As a DPC physician, I am largely untouched by this issue, since we don’t rely on third-party billing. However, my heart bleeds for my colleagues who are dependent on a system that continues to fail them.
If this is what Change in healthcare looks like, you can keep the Change. I will stick with direct primary care.
And... the US State Department weighs in.
How do we know this won't benefit the hackers??
Rewards for Justice – Reward Offer for Information on ALPHV BlackCat-linked Cyber Actors Targeting U.S. Critical Infrastructure
The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).The ALPHV BlackCat ransomware-as-a-service group compromised computer networks of critical infrastructure sectors in the United States and worldwide, deploying ransomware on the targeted systems, disabling security features within the victim’s network, stealing sensitive confidential information, demanding payment to restore access, and threatening to publicize the stolen data if victims do not pay a ransom.
The group’s ransomware, also known as ALPHV BlackCat, was first deployed in November 2021.
ALPHV BlackCat operated as a ransomware-as-a-service business model in which the group’s members developed and maintained the ransomware variant and then recruited affiliates to deploy the ransomware. ALPHV BlackCat and its affiliates then shared any paid ransoms.
More information about this reward offer is located on the Rewards for Justice website at https://rewardsforjustice.net/english/malicious_cyber_activity.html . We encourage anyone with information on ALPHV BlackCat actors, their affiliates, activities, or links to a foreign government to contact Rewards for Justice via the Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required).
Since its inception in 1984, RFJ has paid in excess of $250 million to more than 125 people across the globe who provided actionable information that helped resolve threats to U.S. national security. Follow us on Twitter at https://twitter.com/RFJ_USA .
https://www.upi.com/Top_News/US/2024/04/23/UnitedHealth-Group-cyberattack-blackcat/3951713899108/
UnitedHealth Group: Patient data compromised despite paying ransomware
UnitedHealth Group officials on Monday announced a February cyberattack compromised an unknown number of Change Healthcare customers despite paying a ransom. Photo by Justin Lane/EPA-EFE
April 23 (UPI) -- Officials for Minnesota-based UnitedHealth Group on Monday said the health insurance and services provider paid a ransom to protect patients' data, but many personal files were breached in a recent cyberattack.
Cyber criminals targeted subsidiary Change Healthcare in February, and UnitedHealth Group paid an undisclosed ransom amount, corporate officials announced in a news release Monday.
The cyberattack compromised the personal healthcare data of many Americans, NBC News and TechCrunch reported.
"We know this attack has caused concern and been disruptive for consumers and providers," UnitedHealth Group CEO Andrew Witty said. "We are committed to doing everything possible to help and provide support to anyone who may need it."
Witty said it will take several months for UnitedHealth Group to continually analyze the data breach to identify those whose personal data was compromised and notify them.
The analysis includes monitoring the dark web and Internet to see if anyone's breached data was published. It also is utilizing information from 22 screenshots of alleged personal health and identity information that were published for about a week on the dark web by a "malicious actor," UnitedHealth Group officials said.
Corporate officials are communicating with law enforcement while undertaking the extended analysis to determine the full extent of data breached by the cyberattack.
UnitedHealth Group officials said the corporation "has made continued strong progress restoring services impacted by the event" and "prioritized the restoration of services that impact patient access to care or medication."
Medical claims processing and pharmacy services are nearly at normal levels, and payment processing for Change Healthcare is at about 86% of its normal levels and improving daily, UnitedHealth Group officials said.
The healthcare provider in February identified the BlackCat ransomware gang as the perpetrators of the cyberattack.
Investigators with the Department of Health and Human Services in March began investigating the cyberattack.
It's an incredibly huge mess.
I'm starting a new thread in the Federal section about Congressional hearings.
Much worse than we were told. UnitedHealth paid at least two ransoms to these thieves:
UnitedHealth confirms 190 million Americans affected by Change Healthcare data breach
January 24, 2025UnitedHealth has confirmed the ransomware attack on its Change Healthcare unit last February affected around 190 million people in America — nearly double previous estimates.
The U.S. health insurance giant confirmed the latest number to TechCrunch on Friday after the markets closed.
“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” said Tyler Mason, a spokesperson for UnitedHealth Group in an email to TechCrunch. “The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”
UnitedHealth’s spokesperson said the company was “not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis.”
The February 2024 cyberattack is the largest breach of medical data in U.S. history and caused months of outages across the U.S. healthcare system. Change Healthcare, a health tech giant and UnitedHealth subsidiary, is one of the largest handlers of health, medical data, and patient records; it’s also one of the biggest processors of healthcare claims in the United States.
The data breach resulted in the theft of massive quantities of health and insurance-related information, some of which was published online by the hackers who claimed responsibility for the breach. Change Healthcare subsequently paid at least two ransoms to prevent further publication of the stolen files.
UnitedHealth previously put the number of affected individuals at around 100 million people when the company filed its preliminary analysis with the Office for Civil Rights, the unit under the U.S. Department of Health and Human Services that investigates data breaches.
In its data breach notice, Change Healthcare said that the cybercriminals stole names and addresses, dates of birth, phone numbers, email addresses, and government identity documents, which included Social Security numbers, driver’s license numbers, and passport numbers. The stolen health data also includes diagnoses, medications, test results, imaging, and care and treatment plans, as well as health insurance information. Change said the data also includes financial and banking information found in patient claims.
The breach was attributed to the ALPHV ransomware gang, a prolific Russian language cybercrime group. According to testimony by UnitedHealth Group’s CEO Andrew Witty to lawmakers last year, the hackers broke into Change’s systems using a stolen account credential, which was not protected with multi-factor authentication.
Sign Up for MHF Insights to keep up on the latest in Michigan Health Policy
