According to sources with knowledge of the investigation, the BlackCat ransomware group was the cause of an ongoing outage affecting the Change Healthcare payment exchange platform following a cyberattack on UnitedHealth Group subsidiaryOptum .
On Wednesday, Change Healthcare issued a warning to its customers that some of its services were temporarily unavailable as a result of a cybersecurity incident. UnitedHealth Group claimed in an SEC 8-K filing that the cyberattack was carried out by allegedly “nation-state” hackers who gained access to Change Healthcare’s IT systems a day later.
Since the platform is widely used by electronic health record ( EHR ), payment processing, care coordination, and data analytics systems in hospitals, clinics, and pharmacies, it has been a result of the Change Healthcare shutdown that has caused frequent billing outages.
Optum has since updated users on a dedicated status page every day to inform them that Change Healthcare’s systems are still down to stop further damage and contain the breach, with the most recent outage affecting the majority of services.
Optum, United Healthcare, and the UnitedHealth Group systems are all backed by the company’s assurance that this issue wo n’t have an impact, according to Optum.
” We are pursuing a variety of strategies to restore the impacted environment, but we wo n’t resort to shortcuts or take any additional risks as we restore our systems.”
BlackCat links
ChangeHealthcare has been conducting Zoom calls with healthcare industry partners to keep up with the situation since the attack that affected its systems.
According to one of the callers, forensic experts involved in the incident response believed the attack to be related to the BlackCat ( ALPHV ) ransomware gang ( Reuters first reported the link on Monday ).
A crucial ScreenConnect auth bypass flaw ( CVE- 2024- 1709 ), which another source has been actively exploited in attacks to deploy ransomware on unpatched servers, is one of the compromise indicators, according to a source who spoke to BleepingComputer on Friday.
BleepingComputer has not been able to independently verify the claims ‘ sources. BlackCat had not yet claimed the attack on Change Healthcare, suggesting that they may still be trying to extort money.  ,
Although UnitedHealth Group VP Tyler Mason did not confirm whether BlackCat was to blame for the attack, he claimed 90 % of the affected pharmacies had implemented new electronic claim procedures to address Change Healthcare issues.
More than 90 % of the country’s 70, 000+ pharmacies have modified electronic claim processing to lessen the impact of the Change Healthcare cyber security problem, according to Mason, according to the report.
” Both Optum Rx and UnitedHealthcare are receiving scant reports, with less than 100 of the over 65 million PBM members being unable to obtain their prescriptions. We have not received any reports of continuity of care issues because those patients have been immediately escalated.
United Health Group ( UGG), a health insurance provider with operations in all 50 states and 8, 000 hospitals and other care facilities, has contracts with more than 1.6 million doctors and care professionals.
UHG is the largest healthcare company by revenue ($ 324.2 billion in 2022 ) and has 440,000 employees worldwide.
The largest payment exchange platform connecting doctors, pharmacies, healthcare providers, and patients in the United States healthcare system is operated by Optum Solutions, its subsidiary.
Before the publication of this article, a BlackCat representative did not respond to BleepingComputer’s request for comment.
BlackCat/ALPHV: Who is it?
In a rumored rebranding of the DarkSide and BlackMatter ransomware operations, BlackCat surfaced in November 2021.
After the Colonial Pipeline attack, which led to extensive investigations by international law enforcement and the need for two more brand rebrandings, DarkSide quickly gained notoriety.
Between November 2021 and March 2022, the FBI identified more than 60 breaches in BlackCat’s first four months of operation. It also estimates that up to September 2023, BlackCat has received at least$ 300 million in ransom payments from more than 1, 000 victims.
After hacking its servers and using key data from the months-long intrusion, the FBI temporarily shut down the gang’s Tor negotiation and leak sites and halted its operations in December.
Since then, BlackCat has “unseized” their leak site using private keys that they still possess, and it is now running a brand-new Tor leak site that the FBI has not yet taken down.
While a nation-state threat actor is identified as the perpetrator of the attack in the SEC filing, BlackCat has not been publicly connected to any foreign government organizations.
Up to$ 10 million will be awarded to tips that lead to the identification or location of ALPHV gang leaders, and up to$ 5 million for information about those connected to the BlackCat ransomware attacks.
Updated on February 27, 2012 at 2:00 EST: Added a statement from UnitedHealth Group.