Blackcat claims responsibility for cyber attack at UnitedHealth

Change Healthcare on Thursday confirmed that the Blackcat ransomware group is behind an ongoing cyber security attack that has caused widespread disruption to pharmacies and healthcare systems across the US

“Our experts are working to address the matter, and we are working closely with law enforcement and leading third-party consultants,” Change Healthcare told CNBC in a statement Thursday. “We are actively working to understand the impact on members, patients and customers.”

The company said it is working with Mandiant, which is owned by Googleand cybersecurity software provider Palo Alto Networks.

In a since-deleted post on the dark web, Blackcat said Wednesday it was behind the attack on Change Healthcare’s systems. The group said it was able to extract six terabytes of data, including information such as medical records, insurance records and payment information.

Change Change’s parent company UnitedHealth Group said it discovered that a cyber threat actor had breached part of the unit’s information technology network on Feb. 21, according to submission with the SEC. UnitedHealth isolated and disconnected the affected systems “immediately upon discovery” of the threat, the document said, but did not disclose the nature of the attack or exactly when it took place.

Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to Release in December from the US Department of Justice. Blackcat has compromised computer networks in the US and around the world, amounting to hundreds of millions of dollars in losses, the release said.

Change Healthcare offers payment and revenue cycle management tools that help facilitate transactions such as reimbursement payments. In 2022, it merged with healthcare provider Optum, which serves more than 100 million patients in the US and is owned by UnitedHealth, the nation’s largest healthcare company by market capitalization.

Brett Callow, a threat analyst at cybersecurity company Emsisoft, said ransomware groups often make posts like these in an attempt to get victims to the negotiating table. Callow, who specializes in ransomware, shared a screenshot from Blackcat’s deleted post on social media site X on Wednesday.

He said ransomware groups often exaggerate the amount of data they’ve stolen, so Blackcat’s claims should be treated with skepticism. It can take weeks for an organization to determine exactly what information has been stolen, he added, and ransomware groups often use the period of uncertainty to their advantage.

“Cybercriminals, they’re not going to tell the truth,” Callow said in an interview with CNBC.

UnitedHealth said in its filing with the SEC that it suspected a nation-state actor was behind the attack, but Callow said Blackcat was a for-profit cybercrime operation. He called the discrepancy “strange” but said there may be more to the offense that he’s not aware of.

Ransomware attacks can be particularly dangerous in the healthcare sector because they can cause immediate harm to the physical safety of patients, said John Riggi, national cybersecurity and risk advisor at the American Hospital Association.

When systems go dark, diagnostic technology such as CT scanners can go offline, and ambulances transporting patients are often diverted, which can delay life-saving care, he said.

“Change, they’re a victim,” Riggi told CNBC. “But at the end of the day, it wasn’t just an attack on them, it was an attack on the entire healthcare sector.”

Change Healthcare’s systems have been down for nine days in a row and it is unclear when they will be back online.

WATCHING: Companies need to understand that cyber risk is a business risk