The company says a ransomware group known as ALPHV Blackcat is claiming responsibility. The group has repeatedly targeted healthcare organizations, officials say.
UnitedHealth Group’s Change Healthcare has identified the group claiming responsibility for the cyberattack that’s causing major disruptions for hospitals and other providers.
Change Healthcare said Thursday that “we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.”
In a message posted online, the company said, “Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare's systems. We are actively working to understand the impact to members, patients and customers.”
ALPHV Blackat has a record of targeting healthcare organizations, according to the Cybersecurity & Infrastructure Security Agency. Blackcat has been one of the world’s largest groups offering ransomware as a service, the U.S. Justice Department has said.
In a Feb. 27 advisory, CISA said healthcare has been the group’s top target in recent months.
“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” CISA said.
Federal officials announced in December that they had taken steps to disrupt ALPHV Blackcat. The FBI had developed a decryption tool allowing more than 500 victims the capability of restoring their systems, and the Justice Department said in December that it has saved victims from paying $68 million in ransom demands.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” Deputy Attorney General Lisa O. Monaco said in December.
But the group has apparently found new ways to cause havoc, federal officials say.
CISA says the spate of recent attacks on health systems likely stems from “the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group.”
Nic Finn, senior threat intelligence consultant at GuidePoint Security, said in a statement that ALPHV or Blackcat “has been actively attacking healthcare organizations for a while now, with several large healthcare providers and networks impacted in 2023."
“While we have seen several healthcare organizations impacted by Alphv in 2024, it remains to be seen whether this is an intentional increase representative of deliberate targeting or just continued operations as usual, pursuing vulnerable targets of opportunity and exploiting frequent weaknesses in health organization networks,” Finn said.
Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, told Chief Healthcare Executive® that if some ransomware groups were reticent about targeting healthcare organizations in the past, they are exhibiting fewer qualms now.
“I do think we are seeing that there are no protected organizations anymore,” Steinhauer said in an interview this week. “I don't think every group will attack a hospital, but certainly where we didn't see this happening before because of moral obligations or beliefs, now, some organizations have decided that that's not the case anymore.”
ALPHV Blackcat affiliates study their targets and use social engineering to gain access to companies, CISA said in the advisory. They may pose as members of the information technology staff and reach out to employees.
Some affiliates of ALPHV or Blackcat use ransomware after gaining access and demand payment, but some also steal data after gaining access and attempt to extort victims without deploying ransomware.
The American Hospital Association has advised its members to follow CISA’s updated recommendations to guard themselves against ALPHV Blackcat. “ALPHV Blackcat is alleged to be involved in ongoing attacks impacting the health care field,” the AHA says.
Blackcat has claimed responsibility for a cyberattack affecting McLaren Health Care in Michigan last October. In February 2023, the Lehigh Valley Health Network said the Blackcat ransomware group launched a cyberattack of the Pennsylvania health system.
Hospitals are seeing serious problems in a variety of ways from the Change Healthcare cyberattack. Health systems are having trouble processing claims, determining if a patient’s insurance will cover treatments, handling prescriptions, and other issues, according to the American Hospital Association.
UnitedHealth Group, the parent company of Optum, which includes Change Healthcare, said in an SEC filing the incident was discovered Feb. 21. Optum said it has disconnected Change Healthcare’s systems and is confident that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected.
Read more: Paying the ransom: Hospitals face hard choices in cyberattacks
Cybersecurity panel: How hospitals can protect their patients and their systems
November 18th 2024Chief Healthcare Executive® presents the final installment in our series, with experts from HIMSS, the American Hospital Association, and Providence. In this episode, our panel offers advice on how health systems can improve.