Health care company ties Russian-linked cybercriminals to prescriptions breach

A ransomware attack is disrupting pharmacies and hospitals nationwide, leaving patients with problems filling prescriptions or seeking medical treatment.

On Thursday, UnitedHealth Group accused a notorious ransomware gang known as Black Cat, or AlphV, of hacking health care payment systems across the country.

Last week, the top health insurance company disclosed that its subsidiary, Optum, was impacted by a "cybersecurity issue," leading to its digital health care payment platform, known as Change Healthcare, being knocked offline.

As a result, hospitals, pharmacies and other health care providers have either been unable to access the popular payment platform, or have purposefully shut off connections to its network to prevent the hackers from gaining further access.

UnitedHealth says that as of Monday it estimated that more than 90% of 70,000 pharmacies in the U.S. have had to change how they process electronic claims as a result of the outage.

While the company has set up a website to track the ongoing outage, reassuring customers that there are "workarounds" to ensure access to medications, the outage could last "weeks," according to a UnitedHealth executive who spoke on a conference call with cybersecurity officers, a recording of which was obtained by STAT News.

After hiring multiple outside firms, including top cybersecurity companies Mandiant and Palo Alto Networks, UnitedHealth released its conclusion that BlackCat, or AlphV, is behind the breach, a conclusion bolstered by the group itself originally claiming credit on its dark web leak site. The post has since been taken down.

"Hacked the hackers"

However, the fact that the ransomware gang may be responsible is also something of a twist.

Just a few months ago, the FBI broke into the groups' internal servers, stealing information about decryption tools for victims and seizing control of several of its websites. The U.S. government celebrated the disruption, a major operation with multiple foreign governments involved. "In disrupting the Black Cat ransomware group, the Justice Department has once again hacked the hackers," said Deputy Attorney General Lisa Monaco in a news release.

Black Cat's seeming ability to regroup and breach one of the largest health care entities in the U.S. demonstrates how challenging it is to hamper these groups long-term.

Cybercriminals frequently reassemble after experiencing setbacks, particularly when their operators are located in countries whose law enforcement agencies are lax about prosecuting their crimes.

That's especially true in Russia. While researchers have not definitively tied BlackCat to Russia or its government, they've concluded it is a Russian-speaking group. U.S. intelligence officials have spoken frequently about the Russian government's willingness to turn a blind eye to cybercrime, in exchange for the hackers' service in intelligence operations. That has been especially true during the war in Ukraine.

In addition to the health care breach, Black Cat also recently claimed to have stolen classified documents and sensitive personal data about Department of Defense employees from U.S. federal contractors.