The attack on United Healthcare’s Change Healthcare unit continues to cause major problems. Pharmacies are struggling to fill prescriptions, patients cannot get their medications, and payment processes for providers are impacted.
The problems began February 21 after hackers, subsequently identified as the AlphV (BlackCat) group, gained access to UnitedHealth’s Change Healthcare unit. How they gained access is still unconfirmed, with the hackers publicly mocking some analysts who claimed that they had exploited a vulnerability in ScreenConnect.
While the details of how the attack was implemented await more investigation results, Change Healthcare’s most recent status update makes it clear that they are still struggling to recover:
Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to. We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.
We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.Posted 13 hours ago. Feb 28, 2024 – 17:58 EST
The list of all of their affected services is posted on the status update page.
Over this past weekend, individuals familiar with the situation first revealed that it was BlackCat who was responsible. Until then, the firm had indicated that they had a suspect who was “nation-state” affiliated, leading some to speculate whether China was behind the attack. BlackCat is not a nation-state gang. They have always appeared to be strictly financially motivated and like many groups, do not attack Russian or CIS entities.
On February 27, a spokesperson for BlackCat told DataBreaches.net that yes, BlackCat was responsible for the attack. Despite their statement, some continued to suggest that LockBit was behind the breach or it was BlackCat using ransomware to implicate LockBit or maybe they were just claiming credit for a breach they hadn’t done.
Yesterday, BlackCat posted about Change Healthcare on their blog, claiming responsibility. In this case, they claim to have exfiltrated more than 6 TB of data from a number of Change Healthcare partners that they name. The data they claim to have includes both PII and PHI. They did not post any proof of claims with the post, but that is reportedly typical of them if they are still trying to get a target to pay their demands.
Their post, shown below, shows they are following media coverage and responding to it and to researchers that have made claims that they state are false. They write, “PS for all those cyber intelligence so called expert dumbasses we did not use ConnectWise exploit as our initial access so you should base your reports you tell people on actual facts not kiddi speculations.”
The post was removed by the end of the day.