Share this article on:
The ALPHV ransomware group has officially claimed responsibility for the attack on Change Healthcare that crippled the organisation’s systems.
ALPHV, also commonly referred to as BlackCat, was believed to have been responsible for unauthorised access to the UnitedHealth subsidiary’s systems, with the group saying that it believed a nation-state actor was behind the attack.
“On February 21, 2024, UnitedHealth Group (the ‘company’) identified a suspected nation-state associated cyber security threat actor who had gained access to some of the Change Healthcare information technology systems,” UnitedHealth wrote in a Securities and Exchange Commission (SEC) filing.
UnitedHealth also added that the attack was limited to just Change Healthcare’s systems.
At the time of initial reporting, Cyber Daily observed that ALPHV had not yet listed Change Healthcare on its dark web leak site.
However, the threat group has since taken to its leak site to claim responsibility for the attack, publishing a statement on its leak site.
“UnitedHealth has announced that the attack is ‘strictly related’ to Change Healthcare only and it was initially attributed to a nation-state actor. Two lies in one sentence,” the group wrote.
“Only after threatening them to announce it was us, they started telling a different story.
“It is true that the attack is centered at Change Healthcare [production] and corporate networks, but why is the damage extremely high?
“Change Healthcare production servers process extremely sensitive data to all of UnitedHealth clients that rely on Change Healthcare technology solutions, meaning thousands of healthcare providers, insurance providers, pharmacies, etc …
“Also, being inside a production network, one can imagine the amount of critical and sensitive data that can be found.”
ALPHV claimed to have exfiltrated over six terabytes of “highly selective data”, which affected a number of major Change Healthcare partners, including Medicare, Tricare, CVS CareMark, Loomis, Davis Vision, Health-Net, MetLife, Teachers Health Trust, and “tens of insurance companies and others”.
It also said the exfiltrated data includes “millions of” medical records, dental records, payment and claims information, insurance records, over 3,000 source code files for Change Healthcare and both active military personnel and patient personally identifiable information (PII) such as phone numbers, emails, addresses, social security numbers.
“Anyone with some decent critical thinking will understand what damage can be done with such intimate data on the affected clients of UnitedHealth/UnitedHealth solutions as well, beyond simple scamming/spamming,” the group added.
“After 8 days and Change Health have still not restored its operations and chose to play a very risky game hence our announcement today.
“UnitedHealth you are walking on a very thin line be careful you might just fall over.”
Finally, ALPHV added that despite cyber experts’ beliefs that the group gained access through the ConnectWise exploit, its initial access was achieved through other means.
“For all those cyber intelligence so called expert dumbasses we did not use ConnectWise exploit as our initial access so you should base your reports you tell people on actual facts not kiddi speculations,” the group said.
UnitedHealth is yet to respond to the latest announcement or provide any update. Cyber Daily has reached out to the organisation for comment.