UnitedHealth Group's Optum Subsidiary Cyber Attack Linked to BlackCat Ransomware Group

The cyberattack on UnitedHealth Group's subsidiary, Optum, which resulted in a prolonged outage affecting the Change Healthcare payment exchange platform, has been attributed to the BlackCat ransomware group, according to sources familiar with the investigation. Change Healthcare informed customers of the cybersecurity incident, and UnitedHealth Group disclosed in an SEC 8-K filing that the attack was orchestrated by suspected "nation-state" hackers who breached Change Healthcare's IT systems.

The disruption caused by the Change Healthcare shutdown has had widespread effects on billing services, as the platform is extensively utilized throughout the U.S. healthcare system, encompassing electronic health records, payment processing, care coordination, and data analytics systems in various healthcare facilities.

Optum, in its efforts to address the situation, has been providing regular updates on the incident, assuring stakeholders that Optum, UnitedHealthcare, and UnitedHealth Group systems remain unaffected. They emphasize the cautious approach being taken to restore affected services without compromising security.

Forensic experts involved in the incident response have linked the attack to the BlackCat ransomware group, although this connection has not been definitively confirmed. Change Healthcare has been in communication with partners in the healthcare industry via Zoom calls to provide updates on the cyberattack.

While UnitedHealth Group VP Tyler Mason did not confirm BlackCat's responsibility for the attack, he noted that the majority of affected pharmacies have implemented new electronic claim processes to mitigate the impact. However, there have been minimal reports of issues affecting patient care.

UnitedHealth Group, a major player in the healthcare industry, employs a significant workforce and operates globally. Optum Solutions, its subsidiary, manages the Change Healthcare platform, which serves as a vital payment exchange platform within the U.S. healthcare system.

BlackCat, previously associated with DarkSide and BlackMatter ransomware operations, has been active since November 2021. The group has been linked to numerous breaches and has garnered substantial ransom payments from victims. Despite UnitedHealth Group's assertion of a nation-state threat actor, BlackCat has not been explicitly tied to any foreign government agencies.

The U.S. State Department has offered rewards for information leading to the identification or location of BlackCat gang leaders, underscoring the severity of the threat posed by such cybercriminal organizations.