UnitedHealth Optum Cyberattack Pinned On Ransomware, Not Nation-State: Report

A Reuters report indicates the Blackcat ransomware was involved in the attack that has disrupted U.S. pharmacies.

The cyberattack against a unit of UnitedHealth’s Optum subsidiary that has disrupted U.S. pharmacies involved the Blackcat ransomware strain, according to a report Monday.

The Reuters report, which cited two sources familiar with the situation, raises questions about UnitedHealth’s initial attribution of the attack to a nation-state threat actor. CRN has reached out to UnitedHealth and Optum representatives for comment.

Security researchers have previously associated the Blackcat ransomware strain with Alphv, a Russian-speaking cybercriminal gang. The hacking activities of cybercriminal groups are generally considered to involve separate operations from those of nation-state threat groups, which are directly sponsored by governments.

Attacks by cybercrime actors involving ransomware also tend to be disruptive, whereas nation-state attacks are typically stealthier and more focused on espionage or data theft.

In a regulatory filing last Wednesday, insurer UnitedHealth Group disclosed the cyberattack against Change Healthcare, a prescription processor that’s a part of its Optum subsidiary.

Change Healthcare has said in a statement that it disconnected its IT systems following the attack “to prevent further impact.”

The latest statement posted by Change Healthcare Monday afternoon does not contain any new information from its disclosures last week and over the weekend. “The disruption is expected to last at least through the day,” the statement reads, repeating a line that was included in the statements of prior days.

The statement also reiterated that Change Healthcare is taking “multiple approaches to restore the impacted environment.”

History Of Disruptive Attacks

Prior incidents involving Blackcat ransomware have included severely disruptive attacks such as last year’s crippling attack against casino operator MGM. Researchers have also linked Blackcat to the high-profile attack against Caesars Entertainment last year.

In the wake of the Change Healthcare attack, insurance processing has been impacted and resulted in difficulties for patients in acquiring prescriptions using their insurance, media reports said Friday.

Local pharmacies have reported delays in addition to being unable to bill insurance plans for prescriptions, according to a report Friday from the Wall Street Journal. CNN reported that patients have been resorting to paying out of pocket in order to access necessary prescriptions.

“During the disruption, certain networks and transactional services may not be accessible,” UnitedHealth said in itsSEC filing last week.

A statement from the Naval Hospital at Camp Pendleton in California has said that the attack has “affected military clinics and hospitals worldwide” as well as “some retail pharmacies nationally.”

In its SEC filing, UnitedHealth said it has “identified a suspected nation-state” as the threat actor behind the Change Healthcare attack. The company did not specifically attribute the attack to a certain country’s government.

In its statement, Change Healthcare has said it has a “high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.”

The American Hospital Association has said in a statement that Optum has a “sector wide presence” and provides numerous “mission critical services.” As a result, “the reported interruption could have significant cascading and disruptive effects on the health care field,” the association said, including to insurance verification and payments as well as to “certain health care technologies and clinical authorizations.”

“AHA continues to recommend that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from applications specified by Change Healthcare that remain unavailable due to this cyberattack, as identified on the Change Healthcare application status page,” the association said in the statement Saturday.