Change Healthcare confirmed Thursday that the Blackcat ransomware group is behind the current cybersecurity attack that has caused widespread disruptions to pharmacies and health systems across the United States.
“Our experts are working to address the matter and we are working closely with leading third-party authorities and consultants,” Change Healthcare told CNBC in a statement Thursday. “We are actively working to understand the impact to members, patients and customers.”
The company said it is working with Mandiant, which is owned by Googleand cybersecurity software provider Palo Alto Networks.
In a since-deleted post on the dark web, Blackcat said Wednesday that it was behind the attack on Change Healthcare's systems. The group said it managed to extract six terabytes of data, including information such as medical records, insurance records and payment information.
Parent company of Change UnitedHealth Group said it discovered that a cyber threat actor breached part of the unit's information technology network on Feb. 21, according to a document filed with the SEC. UnitedHealth isolated and took affected systems offline “immediately upon detection” of the threat, according to the document, but did not disclose the nature of the attack or exactly when it took place.
Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to a December statement from the US Department of Justice. Blackcat has compromised computer networks in the United States and around the world, resulting in hundreds of millions of dollars in losses, according to the statement.
Change Healthcare offers payment and revenue cycle management tools that help facilitate transactions such as reimbursement payments. In 2022, it merged with healthcare provider Optum, which serves more than 100 million patients in the US and is owned by UnitedHealth, the country's largest healthcare company by market capitalization.
Brett Callow, a threat analyst at cybersecurity company Emsisoft, said ransomware groups often make posts like these in an effort to bring victims to the negotiating table. Callow, which specializes in ransomware, shared a screenshot of Blackcat's deleted post on social media site X on Wednesday.
He said ransomware groups often exaggerate the amount of data they have stolen, so Blackcat's claims should be treated with skepticism. It can take weeks for an organization to determine exactly what information was stolen, she added, and ransomware groups often take advantage of the period of uncertainty.
“Cybercriminals are not going to tell the truth,” Callow told CNBC in an interview.
UnitedHealth said in its SEC filing that it suspected an actor associated with a nation-state was behind the attack, but Callow said Blackcat is a for-profit cybercrime operation. He called the discrepancy “peculiar” but said there could be more to the breach that he doesn't know about.
Ransomware attacks can be particularly dangerous within the healthcare sector, as they can cause immediate harm to the physical safety of patients, said John Riggi, national cybersecurity and risk advisor for the American Hospital Association.
When systems go down, diagnostic technologies like CT scanners can go offline and ambulances transporting patients are often rerouted, which can delay life-saving care, he said.
“Change, they're a victim,” Riggi told CNBC. “Ultimately, however, this was not just an attack on them, but on the entire health sector.”
Change Healthcare's systems have been down for nine consecutive days and it is unclear when they will be back online.
LOOK: Companies must understand that cyber risk is a business risk