ALPHV/BlackCat responsible for Change Healthcare cyberattack

US government's bounty hasn't borne fruit as whack-a-mole game goes on

Updated The ALPHV/BlackCat ransomware gang is reportedly responsible for the massive Change Healthcare cyberattack that has disrupted pharmacies across the US since last week.

According to Reuters, citing "two people familiar with the matter," the notorious ransomware-as-a-service operation was behind the attack on the UnitedHealth-owned business. The Register has not independently confirmed that ALPHV was involved in the intrusion.

Change Healthcare provides a wide range of IT services for medical facilities, including software that lets pharmacies check patients' eligibility for medications and determine insurance coverage. Its customers include two of the largest US pharmacies - CVS and Walgreens - both of which have felt the ill effects of the outage. The health tech biz first disclosed the breach on February 21, and pulled the plugs on some of its IT systems as a result.

On Friday, the American Pharmacists Association said dispensaries across the country could not transmit insurance claims because of the cyberattack. 

"This is resulting in delays in getting prescriptions filled," according to a statement on the group's website. "As of Friday afternoon, the situation was still not resolved and pharmacies across the nation are reporting significant backlogs of prescriptions they are unable to process."

UnitedHealth, in a filing with the US Securities and Exchange Commission, last week blamed a "suspected nation-state associated cyber security threat actor" for the network intrusion.

Neither UnitedHealth nor Change Healthcare immediately responded to The Register's inquiries about ALPHV's reported involvement in the attack. 

In a Monday update, Change Healthcare said things aren't getting much better.

"We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online," according to the incident report. "We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect."

ALPHV has been linked to the Russian-speaking Darkside/Blackmatter gang responsible for the 2021 Colonial Pipeline ransomware attack, and has been ramping up its attacks on critical infrastructure targets since the Feds made a failed takedown attempt in December.

Earlier this month the criminal crew allegedly broke into Canada's Trans-Northern Pipelines and claimed to have stolen around 190GB of data. This followed three other alleged intrusions into energy providers in the US, Canada and Spain. It also took credit for the attacks on both Prudential Financial and LoanDepot.

The US government has since offered bounties up to $15 million for information leading to the identification or location of ALPHV leadership members and/or their arrests. ®

Updated to add

"Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need. We also continue to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems," the IT provider told The Register.

"We appreciate the partnership and hard work of all of our relevant stakeholders to ensure providers and pharmacists have effective workarounds to serve their patients as systems are restored to normal. As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds."

More about


Send us news

Other stories you might like