Change Healthcare on Thursday confirmed that ransomware group Blackcat is behind the continuing cybersecurity attack that is caused widespread disruptions to pharmacies and health systems across the U.S.
“Our experts are working to handle the matter and we’re working closely with law enforcement and leading third-party consultants,” Change Healthcare told CNBC in an announcement Thursday. “We’re actively working to know the impact to members, patients and customers.”
The corporate said it’s working with Mandiant, which is owned by Google, and cybersecurity software vendor Palo Alto Networks.
In a since-deleted post on the dark web, Blackcat said Wednesday that it was behind the attack on Change Healthcare’s systems. The group said it managed to extract six terabytes of information, including information like medical records, insurance records and payment information.
Change’s parent company, UnitedHealth Group, said it discovered that a cyber threat actor breached a part of the unit’s information technology network on Feb. 21, based on a filing with the Securities and Exchange Commission. UnitedHealth isolated and disconnected the impacted systems “immediately upon detection” of the threat, the filing said, but it surely didn’t disclose the character of the attack or exactly when it took place.
Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, based on a December release from the U.S. Department of Justice. Blackcat has compromised computer networks across the U.S. and the globe, amounting to tons of of thousands and thousands of dollars in losses, the discharge said.
Change Healthcare offers tools for payment and revenue cycle management that help facilitate transactions like reimbursement payments. In 2022, it merged with the health-care provider Optum, which services greater than 100 million patients within the U.S. and is owned by UnitedHealth, the country’s biggest health-care company by market cap.
Brett Callow, a threat analyst at the cybersecurity company Emsisoft, said ransomware groups will often make posts like these in an effort to bring victims to the negotiating table. Callow, who makes a speciality of ransomware, shared a screenshot of Blackcat’s deleted post to the social media site X on Wednesday.
He said ransomware groups often exaggerate the quantity of information they’ve stolen, so Blackcat’s claims must be treated with skepticism. It will probably take weeks for a company to find out exactly what information was stolen, he added, and ransomware groups often use the period of uncertainty to their advantage.
“Cybercriminals, they are not going to inform the reality,” Callow told CNBC in an interview.
UnitedHealth said in its filing with the SEC that it suspected a nation-state-associated actor was behind the attack, but Callow said Blackcat is a for-profit cybercrime operation. He called the discrepancy “peculiar,” but said there is likely to be more to the breach that he doesn’t learn about.
Ransomware attacks might be particularly dangerous inside the health-care sector, as they may cause immediate harm to patients’ physical safety, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
When systems go dark, diagnostic technologies like CT scanners can go offline, and ambulances carrying patients are sometimes diverted, which might delay lifesaving care, he said.
“Change, they seem to be a victim,” Riggi told CNBC. “Ultimately, though, this was not an attack just on them, this was an attack on the whole health-care sector.”
Change Healthcare’s systems have been down for nine straight days, and it’s unclear when they may come back online.
Don’t miss these stories from CNBC PRO:
WATCH: Corporations need to know that cyber risk is business risk