UnitedHealth Group Confirms ALPHV Ransomware Gang Is Behind Attack

Insurance giant UnitedHealth Group is officially blaming a notorious ransomware group for a major outage that’s been preventing healthcare providers from processing prescriptions. 

The company issued the update as its subsidiary Change Healthcare is still struggling to restore services, a week after suffering the attack, which has ensnared IT systems at hospitals and pharmacies across the country.

“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” the company said on Thursday. 

The statement clarifies that the attack isn’t exactly from a “suspected nation-state” actor, as UnitedHealth Group initially said. Instead, ALPHV is more of a cybercriminal group, although its members are likely based in Russia. 

The company issued the confirmation a day after ALPHV took to its own site on the Dark Web and claimed responsibility for the attack on Change Healthcare. In some potentially bad news for users, the ransomware gang claims to have stolen 6TB or 6,000GB of data from United Healthcare during the attack. 

This Tweet is currently unavailable. It might be loading or has been removed.

“Change Healthcare production servers process extremely sensitive data to all of UnitedHealth clients that rely on Change Healthcare technology solutions. Meaning thousands of healthcare providers, insurance providers, pharmacies, etc,” the group alleged.

As a result, the stolen data encompasses patient medical records, along with other sensitive user information, such as phone numbers, email addresses, and Social Security numbers, the gang claims. Change Healthcare also serves military hospitals, so data on US service members was apparently stolen as well.

Interestingly, ALPHV appears to have taken down its original post about stealing data from UnitedHealth Group, which suggests the insurance provider may have paid the ransom.

UnitedHealth Group didn’t respond to a request for comment. In the meantime, the company’s statement notes: “Our experts are working to address the matter and we are working closely with law enforcement and…