Black Cat (ALPHV) ransomware struck Change Healthcare — the largest prescription payment processor in the US — in late February 2024, disrupting prescription drug access at more than 70,000 pharmacies nationwide and claiming to have stolen 6 terabytes of data including records tied to TRICARE, Medicare, CVS Caremark, and other major insurance and healthcare networks.
Stories Covered
Black Cat Ransomware Hits Change Healthcare, Knocking Out Prescription Processing Nationwide
Change Healthcare, a technology subsidiary of UnitedHealth Group, is the backend infrastructure that pharmacies use to transmit insurance claims and verify patient coverage before dispensing prescriptions. When a patient goes to a pharmacy, the system communicates with their insurer to confirm eligibility, calculate copays and coinsurance, and authorize the transaction — a process most people never see because it happens in seconds. On approximately February 20, 2024, Black Cat (ALPHV) ransomware operators gained access to Change Healthcare’s systems and took them offline. The disruption cascaded immediately: CVS, Walgreens, and pharmacy chains across the country reported they could not transmit insurance claims, leaving patients either unable to fill prescriptions or forced to pay full out-of-pocket costs that can run into hundreds or thousands of dollars for medications their insurance would normally cover. The American Pharmacists Association reported significant backlogs of prescriptions at pharmacies nationwide. Optum, the UnitedHealth subsidiary that owns Change Healthcare, acknowledged the outage and said it was working to restore systems. Mandiant — Google’s cybersecurity incident response division — was engaged to handle the investigation.
Black Cat publicly claimed responsibility on its dark web leak site, directly contradicting UnitedHealth Group’s early SEC filing that attributed the breach to a suspected nation-state actor. Security analysts pushed back on that characterization immediately — ALPHV is a financially motivated ransomware-as-a-service operation with no known nation-state affiliation. The group claimed to have exfiltrated more than six terabytes of data from Change Healthcare’s production network, describing it as highly selective data covering all Change Health clients with sensitive data being processed by the company. The claimed stolen dataset included source code for Change Healthcare solutions, records tied to the US military’s TRICARE healthcare program, Medicare, CVS Caremark, health insurance providers, and personal identifying information for patients across the network. Change Healthcare processes payments for over 70,000 pharmacies and is used by more than 1.6 million physicians, 8,000 hospitals, and other care facilities. The scale of the potential data exposure — across military personnel, Medicare beneficiaries, and commercial insurance customers — represents a significant long-tail risk for phishing and identity fraud well beyond the immediate service disruption.
The attack came after Black Cat’s December 2023 takedown by FBI-led international law enforcement, which seized the group’s infrastructure and hundreds of decryption keys. The group rebuilt, increased affiliate commissions to as high as 90 percent, and explicitly removed prior restrictions against targeting hospitals and healthcare providers — language that had been in place partly to avoid attracting law enforcement attention to critical infrastructure attacks. The FBI, CISA, and the Department of Health and Human Services issued a joint advisory warning that Black Cat affiliates had been primarily targeting US healthcare organizations since mid-December 2023. The advisory noted that healthcare is a particularly attractive target: large volumes of sensitive data, significant revenue, and widely documented use of outdated infrastructure — some hospital systems still run equipment on Windows XP-era operating systems. FBI tracking placed Black Cat behind over 60 breaches in its first four months of operation and estimated the gang collected at least $300 million in ransoms from more than 1,000 victims through September 2023. The US government had separately announced rewards of up to $10 million for information leading to the identification or location of Black Cat leadership. The Change Healthcare attack signaled that the December takedown had not meaningfully degraded Black Cat’s operational capacity — it had accelerated their targeting of exactly the sector most likely to cause public harm.
Leave a Reply