Report: Notorious ransomware group launched cyberattack on UnitedHealth Group

A ransomware group known as Blackcat was behind a cyberattack last week at UnitedHealth Group that has disrupted prescriptions across the country, Reuters reported Monday.

Blackcat actors employ a multiple extortion model of attack, the U.S. Justice Department says, with affiliates stealing sensitive data and seeking a ransom in exchange for decrypting the victim’s system and not publishing stolen data.

UnitedHealth Group disclosed the cyberattack Thursday, saying a nation-state associated cybersecurity threat actor had accessed some information technology systems at its Change Healthcare business in Tennessee. Reuters on Monday, citing unnamed sources familiar with the matter, pegged the attack to Blackcat.

UnitedHealth Group did not comment on the Reuters report. The Minnetonka-based health care giant said it has worked with pharmacies and health care providers to make sure patients still get the care they need.

“We estimate more than 90% of the nation’s 70,000+ pharmacies have modified electronic claim processing to mitigate impacts from the Change Healthcare cyber security issue; the remainder have offline processing workarounds,” the company said in a statement to the Star Tribune.

UnitedHealth Group operates UnitedHealthcare, which is one of the nation’s largest health insurers, as well as Optum, a health services business including a large pharmacy benefit manager (PBM) called OptumRx.

“Both OptumRx and UnitedHealthcare are seeing minimal reports, including less than 100 out of more than 65 million PBM members not being able to get their prescriptions,” the company said. “Those patients have been immediately escalated and we have no reports of continuity of care issues.”

Pharmacies use the Change Healthcare systems to confirm health insurance coverage for prescriptions, including cost-sharing amounts owed by patients.

With those systems down, some patients have been spending more time at the pharmacy counter, as staff do more work using backup systems to check benefits, said Kate Surbaugh, chief executive of Sawtooth Mountain Clinic in Grand Marais. Health systems in the Twin Cities say they’ve made adjustments, as well, to maintain patient access to prescriptions.

“Everybody is getting the medicine that they need,” said Surbaugh, who runs a federally funded community health center that includes a large pharmacy operation. “The back end, I think, is going to be a little messier to figure out.”

In a Tuesday message to users, Change Healthcare said it was still working to get systems running again.

“The disruption is expected to last at least through the day,” the company said.

The American Hospital Association, a trade group, reiterated in a statement Monday that the Change Healthcare cyberattack is “having effects on the entire health care system.”

Blackcat is one of the most notorious of the internet’s many ransomware gangs — groups of cybercriminals who encrypt data to hold it hostage with the aim of securing massive cryptocurrency payouts, Reuters said. It has previously struck major businesses including MGM Resorts International and Caesars Entertainment.

In report earlier this month, the U.S. Health and Human Services Department identified Blackcat as a Russian “cyber criminal group” active since 2021.

In December, the Justice Department announced a “disruption campaign” against Blackcat, saying it had seized several of the group’s websites.

Blackcat has notched more than 1,000 victims, including networks that support “U.S. critical infrastructure,” according to the Justice Department. Millions of dollars in ransoms have been ponied up to the group.

Until recently, publicly traded companies such as UnitedHealth didn’t generally report security breaches to the Securities and Exchange Commission. But a new SEC rule instituted in mid-December requires the disclosure of “material” security breaches within four business days of their occurrence.

Exceptions can be made for public safety or national security circumstances. UnitedHealthcare is one of at least a half-dozen companies that have reported potentially material breaches since the rule went into effect, SEC records indicate.

Generally, the SEC considers events “material” when “reasonable” investors would consider it important. The materiality of cybersecurity breaches, however, is not always immediately clear.

UnitedHealth, in its SEC filing on Feb. 20, said it “has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

Health care businesses are particularly vulnerable to cyberattacks, partly due to the value of patient records. Companies can shell out millions of dollars identifying and remedying a hack — and breaches in the health care industry are often the most expensive, according to HHS, which tracks health care hacks.

Last year, the average breach in the health care industry cost $10.93 million, up from $10.10 million a year earlier, according to a Feb. 15 report on Russian hacking. Financial services were second highest at $5.9 million per breach on average.

UnitedHealthcare Student Resources, an arm of United that provides insurance to students, reported a hack to HHS involving 398,319 people. The company said names, phone numbers, claims and prescription information may have been accessed.

UnitedHealth’s data in that case was retrieved through a major ransomware hack of MoveIt file-sharing software, which is used by companies and organizations worldwide. The culprit was a Russian ransomware group known as Clop. UnitedHealth told the Star Tribune last year that it did not pay a ransom.