Contents:
Change Healthcare, a subsidiary of UnitedHealth Group, has fallen victim to a ransomware attack orchestrated by the notorious cybercrime gang ALPHV/BlackCat.
The attack, which began on February 21, has caused widespread disruptions, affecting thousands of pharmacies and hospitals across the United States, and stalling prescriptions and healthcare services for millions of Americans.
Change Healthcare is a health tech giant responsible for processing a significant portion of the U.S.’s healthcare transactions.
Used by over 70,000 US pharmacies, UHG is the world’s largest healthcare corporation by sales, employing 440,000 people and working with over 1.6 million doctors and care workers in 8,000 hospitals and other institutions.
ALPHV/BlackCat claimed responsibility for the attack
ALPHV/BlackCat, a group linked to the Russian-speaking Darkside/Blackmatter gang and known for its financially motivated cybercrimes, has claimed responsibility for the breach.
As per Bleeping Computer, the gang alleges to have exfiltrated more than 6TB of sensitive data, including:
- medical records
- insurance records
- dental records
- payments information
- claims information
- patients’ PII data (i.e., phone numbers, addresses, social security numbers, email addresses, and more)
- active U.S. military/navy personnel PII data
“Being inside a production network one can imagine the amount of critical and sensitive data that can be found. The data relates to all Change Health clients that have sensitive data being processed by the company,” said BlackCat, in a now-deleted message posted on February 28 on their dark web leak site.
Change Healthcare confirmed Blackcat was behind the attack
Change Healthcare acknowledged the breach and confirmed that Blackcat was behind the ongoing cyberattack.
The company, in collaboration with law enforcement and external cybersecurity companies, is striving to mitigate the impact and restore its systems.
Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.
Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants on this attack against Change Healthcare’s systems.
Incident status page (source)
UnitedHealth Group revealed that the attack was initially suspected to be the work of a nation-state actor. Despite the breach, there’s no indication that systems outside of Change Healthcare, such as Optum, UnitedHealthcare, and UnitedHealth Group, have been compromised.
UnitedHealth has not disclosed whether it has engaged in ransom negotiations with the attackers.
Cybersecurity analysis and industry response
BlackCat denies allegations of exploiting the recently discovered ScreenConnect vulnerability (CVE-2024-1709) in the Change Healthcare breach.
However, the ScreenConnect subdomain is listed as IoC in CISA’s BlackCat ransomware advisory.
Federal Agencies Issue Healthcare Warning
The incident has prompted calls for heightened cybersecurity measures across the healthcare industry, including routine asset inventories, multifactor authentication, and prioritization of known vulnerabilities.
The FBI, CISA, and HHS have alerted that the healthcare sector is a primary target for Blackcat ransomware, highlighting that since mid-December 2023, the sector is the most victimized among nearly 70 reported cases.
To counter ALPHV Blackcat threats the federal agencies recommend measures such as:
- Enforce application controls and software allowlisting.
- Implement phishing-resistant multifactor authentication (MFA).
- Use network monitoring for suspicious activity detection.
- Train users on phishing and social engineering defense.
- Monitor internal communications for anomalies.
- Install and update reputable antivirus software regularly.
If you want to learn more about how to mitigate or prevent ransomware, check out the related articles.
If you want to explore the Heimdal solutions for reducing attack surfaces and preventing ransomware attacks, reach out to our consultants.
And if you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.