On February 21, 2024, a cybercriminal group calling themselves ALPHV or BlackCat deployed a ransomware attack inside Change Healthcare's information technology environments, encrypting Change Healthcare's systems so we could not access them.

Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. Our security team, worked around the clock with several top security experts to address the matter and understand what happened.

UnitedHealth Group has made substantial progress in mitigating the impact to consumers and care providers of the unprecedented cyberattack on the U.S. health system and the Change Healthcare claims and payment infrastructure. Our focus has been on ensuring access to care and medications by addressing challenges to pharmacy, medical claims and payment systems targeted by the attack.

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO of UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”

Based on our ongoing investigation, there is no indication that any other UnitedHealth Group systems have been affected by this attack.

We continue to have a high level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue. Change Healthcare also has not identified evidence this incident spread beyond Change Healthcare.

We continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action and disconnect. Anything available and up and running today has been deemed clean and appropriate for us to continue to operate. 

We have no suspicions about any of the production systems made available to you.

As we have remediated, the most impacted partners are those who have disconnected from our systems and/or did not have business continuity plans sufficient to execute workarounds. We have actively engaged with those customers to understand how we can help.

Change Healthcare works across the health system to make clinical, administrative and financial processes simpler and more efficient for payers, providers and consumers. Key areas of support include pharmacy claims transactions, provider claims processing, patient access and financial clearance, provider payments, and authorizations and medical necessity reviews. We have worked with clients, providers and pharmacies to enact manual processes for these activities and will continue to provide updates.

In the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact and established a perimeter, thereby quarantining the threat and preventing further damage. This was done so our customers and partners did not need to take action. We have a high level of confidence Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue. We believe all operational systems are safe for continued use.

By the afternoon of February 21, 2024, experts from Google, Microsoft, Cisco, Amazon and others were enroute to Change’s Nashville Central Command Operations Center, where they joined security teams from Mandiant and Palo Alto Networks.

Together with our Change Healthcare colleagues, they immediately began the around-the-clock and enormously complex task of safely and securely rebuilding Change Healthcare’s technology infrastructure from the ground up. The team has replaced thousands of laptops, rotated credentials, rebuilt Change Healthcare’s data center network and core services, and added new server capacity.

Our security team has worked with leading cybersecurity firms — including Mandiant and Palo Alto Networks — as well as external resources to investigate the issue, while also working to protect our systems. Furthermore, Microsoft and Amazon Web Services have been engaged with us on additional scanning of our cloud environment. We continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action and disconnect.

Change Healthcare has not identified evidence this incident spread beyond Change Healthcare. Also, to date, we see no evidence of lateral movement beyond the Change Healthcare environment. There is no evidence of cross-contamination or that this has moved beyond those boundaries.

Change Healthcare has also reinforced its policies and practices and implemented additional safeguards in an effort to further strengthen security and to help prevent incidents in the future. Change Healthcare, along with leading external industry experts, continues to monitor the internet and dark web. Change Healthcare is not aware of any misuse of individuals’ information as a result of this incident.

On February 12, 2024, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.

As we have addressed the many challenges in responding to this attack, including dealing with the demand for ransom, we have been guided by the overruling priority to do everything possible to protect peoples’ personal health information.

Yes. We have worked tirelessly in the interest of protecting our partners and patients. We have been transparent with law enforcement, and we will continue to coordinate with our law enforcement partners. Within hours of the ransomware launch, we contacted the FBI and remain in regular communication. We shared critical information, including details about the intrusion, the method of attack, Indicators of Compromise (IOC) and other information that would assist in their investigation.

This incident serves as yet another reminder of the interconnectedness of our health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the industry.

We remain confident in what our telemetry and controls demonstrated — that our Optum, UnitedHealthcare and UnitedHealth Group systems are safe and were not affected by this issue. Forensic analysis was conducted by Mandiant, and we are confident in the safe restore date that was established. The forensic work led by Mandiant has continued to validate that this attack stopped at the Change Healthcare firewall. There has never been, nor is there now, any evidence of traversal to Optum, UnitedHealthcare, UnitedHealth Group or any other endpoint.

We remain vigilant and, in partnership with Mandiant and Palo Alto Networks, our heightened and aggressive threat hunting has been conducted across the Change Healthcare, Optum, UnitedHealthcare, and UnitedHealth Group environments. Palo Alto Networks’ Attack Surface Monitoring (ASM) has been scanning all company domains and will remain in place indefinitely.

Here are some of the security measures we took while restoring Relay Exchange and Assurance services with an abundance of caution: 

• In partnership with AWS, we restored systems across accounts from clean backups.
• A leading cybersecurity platform, Trend Micro, completed scanning prior to services going into production.
• Amazon’s Guard Duty was used to complete the initial scanning post restoration.
• Palo Alto’s Unit 42 scanned the environment for malicious activity and unauthorized behavior.
• Change Healthcare also conducted vulnerability scans via Tenable.
• Bishop Fox penetration tested external-facing endpoints.
• Servers supporting Assurance and Relay Exchange were re-scanned by Mandiant and confirmed cleared prior to moving the servers to the production environment.
• Documentation from Bishop Fox, Mandiant and UnitedHealth Group was made available for customers reconnecting to the service.

Customers can obtain documentation with help from their client executive or by submitting a request via this website. We have provided and will continue providing third-party assurances for products brought back into production.

As we have restored products, please know that core services are being monitored 24/7 by the Optum Security Operations Center, Palo Alto and Mandiant, and this will continue. No service will return to production until it has been scanned by multiple agents, is under active monitoring by a third party, and has been cleared by Mandiant, Palo Alto or both. Consistent with industry practices, external points have been pen-tested, remediated where necessary, and cleared.   

If you are still unsure how to safely reconnect or are running into questions or issues with security gateways, etc., please reach out to your client executive or submit a request via this website. Our team remains committed to everyone being back up and running as safely and as quickly as possible.

The information that may have been involved will not be the same for every impacted individual. All notice letters describe the information potentially involved, even if those data elements were not impacted as to the recipient.

The information involved for individuals may have included contact information (such as first and last name, address, phone number, and email), date of birth, and one or more of the following:  

• Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers); 
• Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment information); 
• Billing and claims information (such as claim numbers, account numbers, billing codes, payments made, and balance due).  

For the majority of potentially affected individuals, Social Security numbers were not impacted, and except in rare instances, financial and banking information, payment cards, driver’s licenses or state ID numbers, or other ID numbers were not involved in this incident.  

Also, some of this information may have related to guarantors. A guarantor is the person who agrees to pay the bill for health care services but is not the patient.

Change Healthcare works across the health system to support pharmacy claims transactions, provider claims processing, patient access and financial clearance, provider payments, and authorizations and medical necessity reviews. For example, Change Healthcare e-prescription solutions enable providers to electronically share prescriptions with pharmacies to generate prescriptions and then route prescriptions and claims to PBMs for approval and payment.

Change Healthcare has been committed to notifying individuals as quickly as possible, given the volume and complexity of the data involved. Change Healthcare began mailing written letters on a rolling basis to potentially impacted individuals for whom Change Healthcare has a sufficient address, including on behalf of impacted customers who have been notified and who have delegated the notifications process to Change Healthcare. Please note, Change Healthcare may not have sufficient addresses for all affected individuals. The mailing process to individuals began in late July 2024 and will continue on a rolling basis as per Change Healthcare’s customer directions.

As a vendor, Change Healthcare has notified its impacted customers and is receiving and in some instances awaiting directions from those customers to complete notifications. Notices were sent to impacted customers beginning on June 20, 2024. At this time, Change Healthcare does not anticipate that it will identify any additional customers.

In addition, Change Healthcare provided a substitute notice link on June 20, 2024 that should remain prominently posted on the home page of customers’ websites until at least 90 consecutive days from the date they posted it. Change Healthcare has been providing a substitute notice link to customers to help individuals understand what happened, let them know that their information may have been impacted, and give them information on steps they can take to protect their privacy, including enrolling in two years of complimentary credit monitoring and identity theft protection services if they believe that their information may have been impacted.  

If you as an impacted customer have not already posted Change Healthcare’s HIPAA substitute notice link on the home page of your website, we encourage you to do so. The substitute notice can be found at:  https://www.changehealthcare.com/hipaa-substitute-notice.

We remain confident in what our telemetry and controls demonstrated — that our Optum, UnitedHealthcare and UnitedHealth Group systems are safe and were not affected by this issue. Forensic analysis was conducted by Mandiant, and we are confident in the safe restore date that was established. The forensic work led by Mandiant has continued to validate that this attack stopped at the Change Healthcare firewall. There has never been, nor is there now, any evidence of traversal to Optum, UnitedHealthcare, UnitedHealth Group or any other endpoint.

We remain vigilant and, in partnership with Mandiant and Palo Alto Networks, our heightened and aggressive threat hunting has been conducted across the Change Healthcare, Optum, UnitedHealthcare, and UnitedHealth Group environments. Palo Alto Networks’ Attack Surface Monitoring (ASM) has been scanning all company domains and will remain in place indefinitely.

Here are some of the security measures we took while restoring Relay Exchange and Assurance services with an abundance of caution: 

• In partnership with AWS, we restored systems across accounts from clean backups.
• A leading cybersecurity platform, Trend Micro, completed scanning prior to services going into production.
• Amazon’s Guard Duty was used to complete the initial scanning post restoration.
• Palo Alto’s Unit 42 scanned the environment for malicious activity and unauthorized behavior.
• Change Healthcare also conducted vulnerability scans via Tenable.
• Bishop Fox penetration tested external-facing endpoints.
• Servers supporting Assurance and Relay Exchange were re-scanned by Mandiant and confirmed cleared prior to moving the servers to the production environment.
• Documentation from Bishop Fox, Mandiant and UnitedHealth Group was made available for customers reconnecting to the service.

Customers can obtain documentation with help from their client executive or by submitting a request via this website. We have provided and will continue providing third-party assurances for products brought back into production.

As we have restored products, please know that core services are being monitored 24/7 by the Optum Security Operations Center, Palo Alto and Mandiant, and this will continue. No service will return to production until it has been scanned by multiple agents, is under active monitoring by a third party, and has been cleared by Mandiant, Palo Alto or both. Consistent with industry practices, external points have been pen-tested, remediated where necessary, and cleared.   

If you are still unsure how to safely reconnect or are running into questions or issues with security gateways, etc., please reach out to your client executive or submit a request via this website. Our team remains committed to everyone being back up and running as safely and as quickly as possible.

At this time, Change Healthcare does not anticipate that it will identify any additional customers.

Change Healthcare is proceeding as the delegate on behalf of HIPAA customers who have been notified by Change Healthcare that they were impacted and who have not opted out of Change Healthcare’s notification process.

The OCR published a press release and updated its webpage on May 31, 2024, which makes clear that covered entity customers may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.

Although you may wish to consult counsel to assess your legal obligations, this type of delegation is an industry standard practice.  

To reduce burdens on impacted customers, Change Healthcare has validated impacted individuals’ addresses where possible. Change Healthcare will also draft and send direct notice letters via U.S. mail to your impacted patients or members for whom Change Healthcare has sufficient addresses — unless you opt out by the specific deadline listed in your customer letter. Some individuals will not be sent a letter due to lack of sufficient address. These individuals will be notified via a substitute notice link which was posted to the Change Healthcare website and provided to Change Healthcare customers beginning June 20, 2024. Please visit changecybersupport.com for more information, including a link for the substitute notice (which is an online version of the notice letter). Impacted customers should link to that substitute notice on their own websites. 

At this time, Change Healthcare does not anticipate that it will identify any additional customers.

If you have not yet been notified that you are an impacted customer, no specific steps are required. If you have been notified by Change Healthcare that you are an impacted customer, please link to Change Healthcare’s substitute notice as instructed in your letter. Change Healthcare can proceed as your delegate if you do not opt out of Change Healthcare’s notification process. The opt-out deadline and more information are listed in your customer notice letter.  

For the majority of potentially affected individuals, Social Security numbers were not impacted, and except in rare instances, financial and banking information, payment cards, driver’s licenses or state ID numbers, or other ID numbers were not involved in this incident. However, if you would like to send employees/members information on support services, including credit monitoring and identity theft protections, you may do so.

A dedicated call center is available to offer two years of free credit monitoring and identity theft protections to anyone who believes they may have been impacted. The call center also includes trained clinicians to provide support services to those who request it.  The toll-free call center can be reached at 1-866-262-5342.

Individuals can visit a dedicated website at changecybersupport.com to get more information and details on these resources. Individuals may have additional rights available to them depending on the state they live in and should refer to the Reference Guide contained in the letter sent to them by Change Healthcare or contained in the substitute notice. 

We have established a dedicated call center to offer additional resources and information to people who are concerned they may have been affected by this incident. The toll-free call center can be reached at 1-866-262-5342, available Monday through Friday, 8 a.m. to 8 p.m. CT.  If you would like, you may refer your inquiring members and/or patients to contact this toll-free call center. You may also refer members and/or patients to our website at changecybersupport.com, which also contains a substitute notice link. Individuals can also sign up for free credit monitoring and avoid possible wait times by visiting: https://app.idx.us/en-US/account-creation/2E49GM5TZ

Change Healthcare has notified the final round of impacted customers. At this time, CHC does not anticipate that it will identify any additional customers.

Please submit that request to chc_cyber_event_responses@optum.com and be sure to list your customer name. We will review and provide written confirmation.