An ongoing cyberattack at U.S. health tech giant Change Healthcare that sparked outages and disruption to hospitals and pharmacies across the U.S. for the past week was caused by ransomware, TechCrunch has learned.
A healthcare executive with knowledge of the incident, who was on the call briefed by the company’s executives, said the healthcare tech giant attributed the cyberattack to the BlackCat ransomware group.
Reuters first reported the news linking the cyberattack to BlackCat, citing two people familiar with the incident.
A spokesperson for Change Healthcare did not immediately respond to a request for comment.
BlackCat, also often referred to as ALPHV, has not yet publicly claimed responsibility for the cyberattack. Ransomware and extortion gangs typically publish portions of a victim’s stolen data to extort a ransom demand. Ransomware attacks typically scramble a victim’s files and demand a ransom to receive the decryption key. Newer cyberattacks often involve cybercriminals stealing a victim’s data before encrypting it.
It’s not yet known if patient data was stolen in the ransomware attack.
UnitedHealth Group (UHG), the parent company of Change Healthcare and the largest U.S. health insurance provider, said in a government regulatory filing last week that it identified a “suspected nation-state” threat actor in its systems, but did not attribute the cyberattack to a specific government or state.
The accuracy of UHG’s cyberattack attribution remains unclear, as cybersecurity researchers have not previously linked the BlackCat gang to a nation-state or government.
Change Healthcare is an American healthcare tech giant and one of the country’s largest processors of prescription medications, handling prescriptions and billing for more than 67,000 pharmacies across the U.S. healthcare system. The company handles 15 billion healthcare transactions annually — or about one in three U.S. patient records.
Change Healthcare merged with healthcare provider Optum in 2022 as part of a $7.8 billion deal under UnitedHealth Group. The deal allowed Optum broad access to patient records handled by Change Healthcare.
UnitedHealth Group collectively provides over 53 million U.S. customers with benefit plans and another 5 million outside of the United States, according to its latest full-year earnings report. Optum serves about 103 million U.S. customers.
The cyberattack at Change Healthcare began on February 21 early on the U.S. East Coast, causing widespread outages at pharmacies and healthcare facilities. Change Healthcare said it took much of its systems offline to expel the hackers from its systems.
Change Healthcare’s incident tracker page shows nearly all of its customer-facing systems remain offline.
Hospitals, healthcare providers and pharmacies have reported that they are unable to fulfill or process prescriptions through patients’ insurance.
The American Hospital Association (AHA), which represents more than 5,000 hospitals and healthcare providers, told its members in a notice last Friday to “consider disconnection from Optum until it is independently deemed safe to reconnect,” and warned of “significant cascading and disruptive effects” caused by the cyberattack.
Columbia University, which runs one of New York’s largest hospitals, told staff on Friday to disconnect all its systems from UnitedHealth Group, Change Healthcare and Optum and blocked access to their email domains.
Tricare, the U.S. military’s health insurance provider for active military personnel, said in a statement that the cyberattack at Change Healthcare is “impacting all military pharmacies worldwide and some retail pharmacies nationally.”
BlackCat/ALPHV have previously taken credit for cyberattacks targeting U.S. healthcare giant Norton, news-sharing site Reddit, and mortgage and loan giant Fidelity National Financial.
Do you work at LoanDepot and know more about the incident? You can contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849, or by email. You also can contact us via SecureDrop.