Change Healthcare confirmed Thursday that ransomware group Blackcat is behind an ongoing cybersecurity attack that is causing widespread damage to pharmacies and health systems across the United States.
“Our experts are working to resolve this issue and we are working closely with law enforcement and leading third-party advisors,” Change Healthcare told CNBC in a statement Thursday. “We are actively working to understand the impact on members, patients and customers. .”
The company said it is working with Mandiant, whose owner is Googleand cybersecurity software vendors Palo Alto Networks.
Blackcat said in a since-deleted post on the dark web that it was behind the attack on Change Healthcare systems. The organization said it successfully extracted 6 terabytes of data, including medical records, insurance records and payment information.
Change of parent company, UnitedHealth GroupAccording to reports, it discovered that cyber threat actors compromised part of the organization’s information technology network on February 21. a filing and the Securities and Exchange Commission. UnitedHealth quarantined and disconnected the affected systems “immediately upon detection” of the threat, the document said, without disclosing the nature of the attack or when it occurred.
Blackcat, also known as Noberus and ALPHV, steals sensitive data from organizations and threatens to make it public unless a ransom is paid. Released in December From the U.S. Department of Justice. Black cats have disrupted U.S. and global computer networks, causing hundreds of millions of dollars in damage, the press release said.
Change Healthcare provides payment and revenue cycle management tools that help facilitate transactions such as reimbursement payments. In 2022, it merged with health care provider Optum, which serves more than 100 million patients in the United States and is part of UnitedHealth, the largest health care company in the United States by market capitalization.
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said ransomware groups often publish posts like these in an attempt to bring victims to the negotiating table.Callow, who specializes in ransomware, shared screenshot Blackcat’s deleted post on social media site X on Wednesday.
He said ransomware groups often exaggerate the amount of data they steal, so Blackcat’s claims should be viewed with skepticism. He added that it can take weeks for organizations to determine exactly what information was stolen, and ransomware groups often use periods of uncertainty to their advantage.
“Cybercriminals don’t tell the truth,” Callow told CNBC.
UnitedHealth said in its SEC filing that it suspected a nation-state-linked group was behind the attack, but Callow said Blackcat was a for-profit cybercriminal organization. He called the discrepancy “bizarre” but said there may be more that he didn’t know about.
John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said ransomware attacks are particularly dangerous in health care because they can cause direct harm to patients’ physical safety.
When systems fail, diagnostic technology such as CT scanners can go offline and ambulances carrying patients are often diverted, which can delay life-saving care, he said.
“Change, they are the victims,” Riggi told CNBC. “Ultimately, though, this is not just an attack on them, it’s an attack on the entire health care sector.”
Change Healthcare’s systems have been down for nine days, and it’s unclear when they will return to normal.
Don’t miss these stories from CNBC PRO:
watch: Companies need to understand that cyber risk is business risk