Executive Summary
The BlackCat/ALPHV ransomware gang has officially claimed responsibility for a cyberattack on Optum, a subsidiary of UnitedHealth Group (UHG), which led to an ongoing outage affecting the Change Healthcare platform, the largest pharmacy payment exchange platform.
This declaration of responsibility, which has since been removed on the BlackCat/ALPHV’s facing site, come as the United States Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services published a report, warning of indicators that BlackCat/ALPHV is primarily targeting domestic healthcare entities. The full report, with Indicators of Compromise included, can be accessed here.
Community Impact
Multiple RH-ISAC member organizations operate in the healthcare space, especially pharmacy retailers. As noted in the TechCrunch article linked above, “Change Healthcare is a health tech giant and one of the country’s largest processors of prescription medications, handling billing for more than 67,000 pharmacies across the U.S. healthcare system.” As such, any members that operate pharmacies are encouraged to assess whether their billing operations are impacted by the incident, and to reach out to Change to determine if their customer or enterprise data was exposed.
Context
Per ALPHV/BlackCat’s claims via a public post on February 28, 2024, the 6TB of sensitive data stolen, via an ALPHV/BlackCat affiliate, from Change Healthcare contains a wide range of information on millions of people, including:
- medical records
- insurance records
- dental records
- payments information
- claims information
- patients’ Personal Identifiable Information (PII) data (i.e., phone numbers, addresses, social security numbers, email addresses, and more)
- active US military/navy personnel PII
On a dedicated status page, Optum stated that they’re still focusing on restoring impacted systems to bring them online, adding that Optum, UnitedHealthcare, and UnitedHealth Group systems have not been affected.
Additionally, BlackCat denied that the affiliates who breached Change Healthcare’s network used a critical ScreenConnect authorization bypass flaw (CVE-2024-1709), which was detailed by an RH-ISAC alert.
