Ransomware, Breach

UnitedHealth Group: A Cyberattack Timeline

Credit: Adobe Stock Images

The massive cyberattack that hit Change Healthcare on February 21, 2024 impacted hundreds of pharmacies worldwide, patient care included, and appears to have been the work of the infamous ALPHV/BlackCat ransomware crew. Change Healthcare is part of insurer UnitedHealth Group’s Optum healthcare business. In 2022, Change Healthcare merged with Optum.

Change Healthcare provides prescription processing services through Optum, which in turn supplies technology services for more than 67,000 pharmacies and care to more than 100 million individual customers. Change Healthcare processes 50% of all medical claims in the United States.

Optum listed more than 100 Change Healthcare services that were affected by the breach. Also disrupted were critical functions such as benefits verification, claims submission and status updates, remittance information transmittal and prior authorization, according to the Healthcare Financial Management Association.

Timeline of Events

MSSP Alert has been following the story from the beginning and will continue to offer updates as new developments arise. To follow is a comprehensive and up-to-date timeline of events.

May 2024

May 3: It’s learned that cyber operatives used stolen credentials to access a remote access tool that wasn't enabled with multifactor authentication (MFA) to break into UnitedHealth’s network. This news comes via written testimony United HealthGroup CEO Andrew Witty presented to the U.S. House Energy and Commerce Committee. According to a copy of Witty’s prepared testimony, ransomware group AlphV/BlackCat hijacked Change Healthcare's systems and demanded a ransom to unlock them.

April 2024

April 25: UnitedHealth Group confirmed that it has paid a ransom demanded by hackers who struck its Change Healthcare insurer unit in February. The ransom amount was $22 million in Bitcoin. In his subsequent testimony, Witty claims full responsibility for the decision to pay the ransom.

The company also acknowledges that files containing personal information had been stolen in the breach that threw hundreds of medical facilities, physicians and pharmacies into financial and operational chaos.

In a statement, UnitedHealth says that it had located files containing personally identifiable information (PII) or protected health information (PHI) that involved a “substantial portion of people in America.”

April 22: UnitedHealth Group said the ransomware hit on its Change Healthcare unit cost the company $872 million in the first quarter of 2024. It’s the first time the company has made any type of public disclosure as to the material impact of the cyberattack. For all of 2024, UnitedHealth expects the full impact of the attack will run to $1.35 billion to $1.6 billion. The clearinghouse says it has funneled some $6 billion in advance funding and loans to healthcare providers affected by the ransomware strike. It has not yet fully recovered from the cyber offensive, officials say.

March 2024

March 27: Healthcare organizations would face minimum cybersecurity standards under a new bill proposed by Sen. Mark Warner (D-VA) that will impose a set of requirements on how they protect data and conduct business. The measure arrives in the wake of at least six class action lawsuits filed against Change Healthcare and its parent company UnitedHealth Group, as of March 20, 2024.

March 13: UnitedHealth Group said on March 13 that its Change Healthcare's pharmacy network is back online. (Source: Reuters)

March 7: Change’s electronic prescription system is fully operable for claims and payments. UnitedHealth suspends MA and D-SNP prior authorizations for outpatient services until March 31.

March 6: UnitedHealth faces five federal lawsuits over the attack. (Source: Healthleadersmedia.com)

March 4: The American Hospital Association (AHA) says Change’s funding program is inadequate. Some providers start losing more than $100 million a day. (Source: Healthleadersmedia.com)

March 3: Blackcat receives a Bitcoin payment of $22 million, Reuters reports.

March 1: UnitedHealth Group reports that a cyberattack at its tech unit, Change Healthcare, was perpetrated by hackers who identified themselves as the Blackcat ransomware group. The company says its experts are working with law enforcement authorities and third party consultants to gauge the impact on its customers and patients. (Source: Reuters)

Meanwhile, Optum introduces a temporary funding assistance program for providers, and Change also implements a workaround system for pharmacies. (Source: Healthleadersmedia.com)

February 2024

February 29: Healthcare providers across the United States are struggling to get paid following the week-long ransomware outage at UnitedHealth Group, with some smaller providers saying they are already running low on cash. Large hospital chains are also locked out of processing payments, with some absorbing the upfront costs of being unable to collect, according to the AHA. (Source: Reuters)

February 28: SC Magazine, a CyberRisk Alliance media outlet and affiliate publication of MSSP Alert, reports that the cybersecurity incident at UnitedHealth's Change Healthcare that led to slowdowns at pharmacies was caused by a “strain of LockBit malware” that was used to exploit the vulnerabilities in ConnectWise ScreenConnect.

In a statement to MSSP Alert, ConnectWise said that it "cannot confirm any direct connection between the vulnerability with ScreenConnect and the incident reported by Change Healthcare. Its initial review indicates that Change Healthcare is not a direct customer of ConnectWise and says it has not received any reports from any of its managed service provider (MSP) partners indicating that Change Healthcare is one of their customers either.

February 27: In a status update last posted on its website on February 27, Optum says it is “working on multiple approaches” to restore its systems and “will not take any shortcuts or take any additional risk as we bring our systems back online.”

February 26: Ransomware group BlackCat claims responsibility for the attack. (Source: Healthleadersmedia.com)

February 22: The AHA sends out a cybersecurity advisory, alerting of the attack’s impact on Optum’s services.

February 21: Optum, which merged with Change Healthcare in 2022, reports a massive breach of its IT system, severely impacting its ability to fill prescriptions. Optum lists more than 100 Change Healthcare services that were affected by the breach. Also disrupted are critical functions such as benefits verification, claims submission and status updates, remittance information transmittal and prior authorization. In an 8-K regulatory filing on February 21, UnitedHealthcare said it “suspected” a nation-state threat actor behind the action but does not offer any further details.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.