UnitedHealth Confirms Cybercrime Was Motive In Change Healthcare Cyberattack

The insurer has moved away from its initial attribution for the disruptive attack to a nation-state threat actor, saying it now believes ‘a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat’ was responsible.

UnitedHealth Group said it now believes cybercriminals were behind the disruptive cyberattack against a unit of its Optum subsidiary after a cybercrime group claimed responsibility for the attack.

The disclosure signals that the insurance giant has moved away from its initial attribution for the Change Healthcare attack to a nation-state threat actor.

The company “can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” UnitedHealth said in a statement provided to media outlets including CRN on Thursday.

UnitedHealth had earlier referenced the Change Healthcare attack in its annual 10-K filing with the U.S. Securities and Exchange Commission.

“We continue to investigate the extent of the incident, which we believe was committed by cybercrime threat actors,” the company said in the SEC filing Wednesday.

The disclosures contrast with UnitedHealth’s initial attribution for the attack to a “suspected nation-state” threat actor, which appeared in an SEC filing on Feb. 22. It comes after the cybercriminal group known by the names of Blackcat and Alphv claimed responsibility for the Change Healthcare attack.

The Russian-speaking cybercriminal gang said on its darkweb site that it exfiltrated 6 TB of data in the attack against Change Healthcare. The post was later deleted for unknown reasons.

Reuters had first reported Monday that the attack involved the Blackcat ransomware strain, which raised questions about UnitedHealth placing the blame on a nation-state attacker. The activities of cybercrime groups are generally considered to involve separate hacking operations from those of nation-state threat groups, which are directly sponsored by governments.

In the SEC filing Wednesday, UnitedHealth added that “as of the date of this report, we have not determined the incident is reasonably likely to materially impact our financial condition or results of operations.”

The attack has prevented some U.S. pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments, Reuters reported Thursday.

The latest statement posted by Change Healthcare Wednesday does not contain any new information from its prior disclosures, reiterating that the company is taking “multiple approaches to restore the impacted environment.”