BlackCat Ransomware Gang Alleges Theft of 6TB Data from Change Healthcare

February 28, 2024

The BlackCat/ALPHV ransomware group has publicly taken responsibility for a cyberattack on Optum, a subsidiary of UnitedHealth Group (UHG), which has led to a continuous outage affecting the Change Healthcare platform. Change Healthcare, the largest payment exchange platform used by over 70,000 pharmacies across the U.S., is a significant part of UHG, the world's largest healthcare company by revenue. UHG employs 440,000 people globally, and works with over 1.6 million physicians and care professionals in 8,000 hospitals and other care facilities.

In a statement released on their dark web leak site, BlackCat claimed that they had allegedly stolen 6TB of data from Change Healthcare's network, which belonged to 'thousands of healthcare providers, insurance providers, pharmacies, etc.' BlackCat stated, 'Being inside a production network one can imagine the amount of critical and sensitive data that can be found. The data relates to all Change Health clients that have sensitive data being processed by the company.'

The ransomware group alleges that they stole source code for Change Healthcare solutions and sensitive data belonging to many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and numerous other healthcare insurance providers. According to BlackCat's claims, the stolen data from Change Healthcare contains a wide range of information on millions of people.

Optum issued a warning on a dedicated status page, hours before this article was published, stating that they're still working on restoring the impacted systems to bring them back online. They added that the systems of Optum, UnitedHealthcare, and UnitedHealth Group have not been affected. UnitedHealth Group VP Tyler Mason, while not confirming that BlackCat was behind the incident, mentioned earlier this week that 90% of the affected 70,000+ pharmacies have switched to new electronic claim procedures to address the Change Healthcare issues.

BlackCat also refuted claims that affiliates who breached Change Healthcare's network used a critical ScreenConnect auth bypass flaw (CVE-2024-1709), as was suggested earlier this week by sources familiar with the investigation. The FBI, CISA, and the Department of Health and Human Services (HHS) issued a warning on Tuesday that Blackcat ransomware affiliates primarily target organizations in the U.S. healthcare sector. The three federal agencies stated, 'Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized.' They also linked this trend to a post by the ALPHV Blackcat administrator encouraging its affiliates to target hospitals.

The FBI has previously connected BlackCat to over 60 breaches during its first four months of activity and estimated the gang made at least $300 million in ransoms from over 1,000 victims until September 2023. The U.S. State Department is currently offering up to $15 million for information that helps identify or locate BlackCat gang leaders and individuals associated with the group's ransomware attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.