Change Healthcare on Thursday confirmed that ransomware group Blackcat is behind the ongoing cybersecurity attack that’s caused widespread disruptions to pharmacies and health systems across the U.S.
“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants,” Change Healthcare told CNBC in a statement Thursday. “We are actively working to understand the impact to members, patients and customers.”
The company said it’s working with Mandiant, which is owned by Google, and cybersecurity software vendor Palo Alto Networks.
In a since-deleted post on the dark web, Blackcat said Wednesday that it was behind the attack on Change Healthcare’s systems. The group said it managed to extract six terabytes of data, including information like medical records, insurance records and payment information.
Change’s parent company, UnitedHealth Group, said it discovered that a cyber threat actor breached part of the unit’s information technology network on Feb. 21, according to a filing with the Securities and Exchange Commission. UnitedHealth isolated and disconnected the impacted systems “immediately upon detection” of the threat, the filing said, but it didn’t disclose the nature of the attack or exactly when it took place.
Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to a December release from the U.S. Department of Justice. Blackcat has compromised computer networks across the U.S. and the globe, amounting to hundreds of millions of dollars in losses, the release said.
Change Healthcare offers tools for payment and revenue cycle management that help facilitate transactions like reimbursement payments. In 2022, it merged with the health-care provider Optum, which services more than 100 million patients in the U.S. and is owned by UnitedHealth, the country’s biggest health-care company by market cap.
Brett Callow, a threat analyst at the cybersecurity company Emsisoft, said ransomware groups will often make posts like these in an effort to bring victims to the negotiating table. Callow, who specializes in ransomware, shared a screenshot of Blackcat’s deleted post to the social media site X on Wednesday.
He said ransomware groups often exaggerate the amount of data they’ve stolen, so Blackcat’s claims should be treated with skepticism. It can take weeks for an organization to determine exactly what information was stolen, he added, and ransomware groups often use the period of uncertainty to their advantage.
“Cybercriminals, they’re not going to tell the truth,” Callow told CNBC in an interview.
UnitedHealth said in its filing with the SEC that it suspected a nation-state-associated actor was behind the attack, but Callow said Blackcat is a for-profit cybercrime operation. He called the discrepancy “peculiar,” but said there might be more to the breach that he doesn’t know about.
Ransomware attacks can be particularly dangerous within the health-care sector, as they can cause immediate harm to patients’ physical safety, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
When systems go dark, diagnostic technologies like CT scanners can go offline, and ambulances carrying patients are often diverted, which can delay lifesaving care, he said.
“Change, they’re a victim,” Riggi told CNBC. “Ultimately, though, this was not an attack just on them, this was an attack on the entire health-care sector.”
Change Healthcare’s systems have been down for nine straight days, and it’s unclear when they will come back online.
Don’t miss these stories from CNBC PRO:
WATCH: Companies need to understand that cyber risk is business risk