top of page
    • Mar 8

UnitedHealth ransomware attack - what's behind it?

UnitedHealth Group ransomware attack - huge financial and patient care ramifications
UnitedHealth Group ransomware attack - huge financial and patient care ramifications

A cautionary tale from UnitedHealth Group, a U.S. based health plan provider whose subsidiary business Change Healthcare (now Optum) suffered a ransomware attack on Feb 21st, wiping over 100 servers offering critical payment and claim fulfillment services.


The following services ceased working:

  • ⛔ Electronic prescribing used by pharmacies, effectively preventing timely patient access to medicines.

  • ⛔ Electronic payment services which accelerate payments to healthcare service providers (hospitals and medical practices). This interruption directly affects administrative work at the hospital, thus impacting operations at thousands of organizations across the USA.

  • ⛔ Medical claim services allowing healthcare providers timely claims against insurers. The inability to fulfill claims puts providers in a financial distress situation, affecting daily liquidity.


Although some of the services have started operating in the meantime, Optum is still projecting a timeline for restoration extending to March 18th (almost a month after the attack!), see details here.


The potential toll on patients, the financial impact on healthcare providers and the length of the attack make this one of the most significant attacks against critical infrastructure in the United States (prompting even the federal government to intervene, see here).


The effects on shareholders is also visible: the company market value dropped more than 10% since the mess started.


The adversary which launched the attack seems to be a well known group called ALPHV Blackcat.

The techniques used by this group are a warning for many healthcare providers in our region as well:

  • Social engineering techniques are almost always used to gain initial access. Actors pose as company IT and/or helpdesk staff and use phone calls or SMS messages to get password credentials.

  • A lack of MFA at public-facing entry points (VPN, RDP, etc.) is a huge enabler for this threat actor, especially once they get a hold on a user's credentials.

  • Remote desktop or virtual desktop services (too often lacking any MFA) are also typically exploited.

  • Active Directory networks lacking any MFA are heavily used for lateral movement and privilege escalation, finally leading to data encryption and maximum impact.


Have you recognized the above IT system elements at regional healthcare providers?

bottom of page