Ransomware gang claims they stole 6TB of Change Healthcare data

Image: Midjourney

The BlackCat/ALPHV ransomware gang has officially claimed responsibility for a cyberattack on Optum, a subsidiary of UnitedHealth Group (UHG), which led to an ongoing outage affecting the Change Healthcare platform.

Change Healthcare is the largest payment exchange platform used by more than 70,000 pharmacies across the United States. UHG is the world's largest healthcare company by revenue, employing 440,000 people worldwide and working with over 1.6 million physicians and care professionals in 8,000 hospitals and other care facilities.

In a statement published on their dark web leak site today, BlackCat said that they allegedly stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc."

"Being inside a production network one can imagine the amount of critical and sensitive data that can be found. The data relates to all Change Health clients that have sensitive data being processed by the company," BlackCat said.

The ransomware gang claims that they stole source code for Change Healthcare solutions and sensitive information belonging to many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and tens of other healthcare insurance providers.

Per BlackCat's claims, the sensitive data stolen from Change Healthcare contains a wide range of information on millions of people, including their:

• medical records
• insurance records
• dental records
• payments information
• claims information
• patients' PII data (i.e., phone numbers, addresses, social security numbers, email addresses, and more)
• active U.S. military/navy personnel PII data

On a dedicated status page, Optum warned hours before this article was published that they're still working on restoring impacted systems to bring them back online, adding that Optum, UnitedHealthcare, and UnitedHealth Group systems have not been affected.

While UnitedHealth Group VP Tyler Mason did not confirm that BlackCat was behind the incident, Mason told BleepingComputer earlier this week that 90% of the affected 70,000+ pharmacies have switched to new electronic claim procedures to address the Change Healthcare issues.

Today, BlackCat also denied that affiliates who breached Change Healthcare's network used a critical ScreenConnect auth bypass flaw (CVE-2024-1709), as BleepingComputer was told earlier this week by sources familiar with the investigation.

On Tuesday, the FBI, CISA, and the Department of Health and Human Services (HHS) warned that Blackcat ransomware affiliates primarily target organizations in the U.S. healthcare sector.

"Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the three federal agencies said.

"This is likely in response to the ALPHV Blackcat administrator's post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023."

The FBI previously linked BlackCat to over 60 breaches during its first four months of activity (between November 2021 and March 2022) and said the gang raked in at least $300 million in ransoms from over 1,000 victims until September 2023.

The U.S. State Department now offers up to $15 million for tips that help identify or locate BlackCat gang leaders and individuals linked to the group's ransomware attacks.