Change Healthcare on Thursday confirmed that ransomware group Blackcat is behind the continuing cybersecurity attack that is caused widespread disruptions to pharmacies and health systems across the U.S.
“Our experts are working to handle the matter and we’re working closely with law enforcement and leading third-party consultants,” Change Healthcare told CNBC in an announcement Thursday. “We’re actively working to grasp the impact to members, patients and customers.”
The corporate said it’s working with Mandiant, which is owned by Google, and cybersecurity software vendor Palo Alto Networks.
In a since-deleted post on the dark web, Blackcat said Wednesday that it was behind the attack on Change Healthcare’s systems. The group said it managed to extract six terabytes of knowledge, including information like medical records, insurance records and payment information.
Change’s parent company, UnitedHealth Group, said it discovered that a cyber threat actor breached a part of the unit’s information technology network on Feb. 21, in line with a filing with the Securities and Exchange Commission. UnitedHealth isolated and disconnected the impacted systems “immediately upon detection” of the threat, the filing said, but it surely didn’t disclose the character of the attack or exactly when it took place.
Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, in line with a December release from the U.S. Department of Justice. Blackcat has compromised computer networks across the U.S. and the globe, amounting to a whole bunch of hundreds of thousands of dollars in losses, the discharge said.
Change Healthcare offers tools for payment and revenue cycle management that help facilitate transactions like reimbursement payments. In 2022, it merged with the health-care provider Optum, which services greater than 100 million patients within the U.S. and is owned by UnitedHealth, the country’s biggest health-care company by market cap.
Brett Callow, a threat analyst on the cybersecurity company Emsisoft, said ransomware groups will often make posts like these in an effort to bring victims to the negotiating table. Callow, who focuses on ransomware, shared a screenshot of Blackcat’s deleted post to the social media site X on Wednesday.
He said ransomware groups often exaggerate the quantity of knowledge they’ve stolen, so Blackcat’s claims must be treated with skepticism. It could actually take weeks for a corporation to find out exactly what information was stolen, he added, and ransomware groups often use the period of uncertainty to their advantage.
“Cybercriminals, they don’t seem to be going to inform the reality,” Callow told CNBC in an interview.
UnitedHealth said in its filing with the SEC that it suspected a nation-state-associated actor was behind the attack, but Callow said Blackcat is a for-profit cybercrime operation. He called the discrepancy “peculiar,” but said there could be more to the breach that he doesn’t find out about.
Ransomware attacks might be particularly dangerous inside the health-care sector, as they could cause immediate harm to patients’ physical safety, said John Riggi, national advisor for cybersecurity and risk on the American Hospital Association.
When systems go dark, diagnostic technologies like CT scanners can go offline, and ambulances carrying patients are sometimes diverted, which may delay lifesaving care, he said.
“Change, they are a victim,” Riggi told CNBC. “Ultimately, though, this was not an attack just on them, this was an attack on the complete health-care sector.”
Change Healthcare’s systems have been down for nine straight days, and it’s unclear when they are going to come back online.
Don’t miss these stories from CNBC PRO:
WATCH: Corporations need to grasp that cyber risk is business risk