Security news that informs and inspires

Nation-State Threat Actors Hit Change Healthcare


Health insurance company UnitedHealth Group said it is responding to a cyberattack by a nation-state threat actor impacting the IT systems of its Change Healthcare subsidiary.

According to a filing with the SEC last week, UnitedHealth said it found out on Feb. 21 that the actors gained access to some of Change Healthcare’s systems. After this discovery the company immediately disconnected Change’s systems to prevent further impact. Change Healthcare, which merged with Optum healthcare in 2022 and is owned by UnitedHealth, offers an array of healthcare solutions and applications for hospitals and pharmacies, including ones related to payments and revenue cycle, clinical and imaging and patient engagement.

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” according to a Monday update on Change Healthcare’s website. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day.”

In its SEC Form 8-K filing, UnitedHealth said the disruption is specific to Change Healthcare systems and other systems across the company don’t appear to be impacted. However, it did not detail the nature of the incident or how it occurred. UnitedHealth said it can’t estimate the duration of time that systems will be disconnected, or the extent of the disruption, but currently it “has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” Optum’s website says that it serves 101 million unique consumers.

Pharmacies like CVS that rely on Change Healthcare IT systems are feeling an impact due to the cyberattack, but in a statement, a CVS spokesperson said "there is no indication that CVS Health’s systems have been compromised."

"We have business continuity plans in place to minimize disruption of service and apologize for any inconvenience our customers and members may experience," said the CVS spokesperson. "We’re continuing to fill prescriptions but in certain cases we are not able to process insurance claims, which our business continuity plan is addressing to ensure patients continue to have access to their medications."

The American Hospital Association (AHA) on Saturday recommended that all healthcare organizations that have been “disrupted or potentially exposed” by the incident disconnect from Change Healthcare applications. At the same time, each healthcare organization should continue to monitor and evaluate the updates from Change Healthcare “to inform its own risk-based decisions regarding non-impacted systems.”

“Due to its sector-wide presence and the concentration of mission critical services it provides, the reported interruption could have significant cascading and disruptive effects on the health care field within revenue cycle, pharmacy, certain health care technologies, clinical authorizations and other services,” according to the AHA.

Activity by ransomware and nation-state groups against the healthcare and public health sector has continued over the past few years, with threat actors like Daixin Team and the LockBit ransomware group targeting healthcare organizations and hospitals.