UnitedHealth confirms Optum hack behind US healthcare billing outage

Update 2/26/24: Our new reporting explains that the attack was conducted by the BlackCat ransomware operation.

Healthcare giant UnitedHealth Group confirmed that its subsidiary Optum was forced to shut down IT systems and various services after a cyberattack by “nation-state” hackers on the Change Healthcare platform.

United Health Group (UHG) is a health insurance company with a presence across all 50 US states. The organization is the world's largest healthcare company by revenue ($324.2 billion in 2022), employing 440,000 people worldwide.

Its subsidiary, Optum Solutions, operates the Change Healthcare platform, which is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system.

If you have any information regarding this incident or any other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.

Optum suffers massive cyberattack

Change Healthcare first started warning customers Wednesday that some of its services had become unavailable, later stating a cybersecurity incident caused it.

An 8-K filing submitted by UnitedHealth Group with the SEC yesterday confirmed that a cyberattack by suspected "nation-state" hackers was behind the disruption to Optum's Change Healthcare services.

"On February 21, 2024, UnitedHealth Group (the "Company") identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems," reads the filing.

"Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident."

"The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time."

Optum is providing regular updates on the status of its services on this portal, which says that the outage is currently impacting 119 Change Healthcare and Optum services and platforms. 

Change Healthcare has a wide presence in the US healthcare systems, used by hospitals, clinics, and pharmacies nationwide for electronic health record (EHR) systems, payment processing, care coordination, and data analytics.

Employees at healthcare clinics, medical billing companies, and pharmacies have reported widescale problems due to the outage, including being unable to bill or send claims for prescriptions or healthcare services.

The payment processing disruption in pharmacies has been particularly noticeable, with the majority of local and box store pharmacies across the country unable to process any insurance claims or accept discount prescription cards.

In response to the situation, the American Hospital Association (AHA) issued a warning yesterday recommending that all healthcare organizations that rely on Optum solutions disconnect their systems immediately to protect their partners' and patients' data.

"We recommend that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum," warned the American Hospital Association.

BleepingComputer has learned that healthcare providers have begun to disconnect from Optum, Change Healthcare, and UHG to prevent the potential spread of the attack to their own systems.

Columbia University announced that the New York Presbyterian healthcare system, which includes the Weill Cornell and Columbia hospitals, advises partners to disconnect from UGH services.

Columbia University said they have also blocked all email connections with UnitedHealth Group's domains and advise that no employees visit those domains until told it is safe.

"Additionally, to minimize the risk this external cyber security event presents to our computing environment, we have taken the extraordinary precaution of blocking email from the following domains: Optum.com, Changehealthcare.com, Caremount.com, Unitedhealthgroup.com, Uhc.com, and Uhg.com." 

The US military's healthcare provider for active-duty personnel, Tricare, has also been impacted, announcing that the Optum outage has forced all US military pharmacies worldwide to fill prescriptions manually.

While it is unclear what type of attack is behind Change Healthcare and Optum's outages, even though they claim it is a "nation-state" actor, it bears all the signs of a ransomware attack.

If a ransomware gang conducted this cyberattack, then it is likely that patient and corporate data would have been stolen in the attack.

This stolen data will then be used as leverage, where the threat actors will threaten to leak the data if a ransom is not paid.

The investigation into the incident is ongoing, and official details regarding the extent of the cyberattack have yet to be disclosed.

---

Update 2/23 (1) - We have received information that the incident also impacts Availity, the clearinghouse for Therabill, that has paused claims processing and remittance advice as a result.

According to an email circulated by the organization,  Change Healthcare notified Availity, who then stopped the connections to Change Healthcare, Optum, and United Healthcare as a precaution.

Therabill's security team has reportedly not detected any compromise of its members' data and is actively monitoring the situation to ensure data protection.