cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

UnitedHealth cyber attack causes medical payment processing freeze US-wide

ALPHV’s attack on Change Healthcare continues to cause problems, with payments to hundreds, if not thousands, of healthcare providers across the US being frozen.

user icon Daniel Croft
Fri, 01 Mar 2024
UnitedHealth cyber attack causes medical payment processing freeze US wide
expand image

According to new reports, the attack on the UnitedHealth subsidiary resulted in payment processing outages for healthcare organisations across the country.

This has led to smaller healthcare practices struggling massively to pay their staff and bills, while large healthcare organisations and hospital chains have been forced to disable their payment and billing management systems, absorbing the expenses related to non-payments until the systems are back online, or they cannot anymore.

There have also been delays for those attempting to fill prescriptions in all 50 US states, according to the American Pharmacists Association.


UnitedHealth previously stated that it had provided healthcare organisations and pharmacists with workarounds for getting prescription medicine to patients, saying that 90 per cent of the 70,000 pharmacies nationwide had implemented electronic workarounds.

The news comes as UnitedHealth confirms ALPHV is behind the cyber attack.

“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cyber crime threat actor who has represented itself to us as ALPHV/BlackCat,” wrote UnitedHealth Group in a statement seen by media.

“We are actively working to understand the impact to members, patients and customers.

“Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need.”

The organisation originally said a state-sponsored actor was suspected to be behind the attack, but appears to have been convinced to announce ALPHV as responsible following a statement on the threat group’s dark web leak site.

“UnitedHealth has announced that the attack is ‘strictly related’ to Change Healthcare only and it was initially attributed to a nation-state actor. Two lies in one sentence,” the group wrote.

“Only after threatening them to announce it was us, they started telling a different story.

“It is true that the attack is centered at Change Healthcare [production] and corporate networks, but why is the damage extremely high?

“Change Healthcare production servers process extremely sensitive data to all of UnitedHealth clients that rely on Change Healthcare technology solutions, meaning thousands of healthcare providers, insurance providers, pharmacies, etc …

“Also, being inside a production network, one can imagine the amount of critical and sensitive data that can be found.”

ALPHV claimed to have exfiltrated over six terabytes of “highly selective data”, which affected a number of major Change Healthcare partners, including Medicare, Tricare, CVS Caremark, Loomis, Davis Vision, Health-Net, MetLife, Teachers Health Trust, and “tens of insurance companies and others”.

It also said the exfiltrated data includes “millions of” medical records, dental records, payment and claims information, insurance records, over 3,000 source code files for Change Healthcare and both active military personnel and patient personally identifiable information (PII) such as phone numbers, emails, addresses, social security numbers.

ALPHV seems particularly motivated to disrupt the medical industry in the US after it vowed to take the gloves off after its operations were taken down by the FBI and other global law enforcement agencies.

“Because of [the FBI’s] actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS [Commonwealth of Independent States], you can now block hospitals, nuclear power plants, anything and anywhere,” it said.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.