On Feb. 21, 2024, a cybercriminal group calling themselves ALPHV or BlackCat deployed a ransomware attack inside Change Healthcare's information technology environments, encrypting Change's systems so we could not access them.

Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. Our security team, along with law enforcement and independent experts, began working to address the matter. At this time, we believe the cybersecurity issue is specific to Change Healthcare.

UnitedHealth Group continues to make substantial progress in mitigating the impact to consumers and care providers of the unprecedented cyberattack on the U.S. health system and the Change Healthcare claims and payment infrastructure. Our focus has been on ensuring access to care and medications by addressing challenges to pharmacy, medical claims and payment systems targeted by the attack.
 

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO of UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”
 

Based on our ongoing investigation, there is no indication that any other UnitedHealth Group systems have been affected by this attack.

We have a high level of confidence Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue. We see no evidence of compromise beyond the scope of the Change Healthcare applications.
 

We will continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action and disconnect. Anything available and up and running today has been deemed clean and appropriate for us to continue to operate.

 
We have no suspicions about any of the production systems available to you.

As we remediate, the most impacted partners are those who have disconnected from our systems and/or did not have business continuity plans sufficient to execute workarounds. We are actively engaging with those customers to understand how we can help.

Change Healthcare works across the health system to make clinical, administrative and financial processes simpler and more efficient for payers, providers and consumers. Key areas of support include pharmacy claims transactions, provider claims processing, patient access and financial clearance, provider payments, and authorizations and medical necessity reviews. We have been working with clients, providers and pharmacies to enact manual processes for these activities and will continue to provide updates.

In the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact and established a perimeter, thereby quarantining the threat and preventing further damage. This was done so our customers and partners do not need to take action. We have a high level of confidence Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue. We believe all operational systems are safe for continued use.

By the afternoon of February 21, experts from Google, Microsoft, Cisco, Amazon and others were enroute to Change’s Nashville Central Command Operations Center, where they joined security teams from Mandiant and Palo Alto Networks. 

Together with our Change Healthcare colleagues, they immediately began the around-the-clock and enormously complex task of safely and securiely rebuilding Change Healthcare’s technology infrastructure from the ground up. The team replaced thousands of laptops, rotated credentials, rebuilt Change Healthcare’s data center network and core services, and added new server capacity. 

Our security team continues to work with leading cybersecurity firms — including Mandiant and Palo Alto Networks — as well as external resources to investigate the issue, while also working to protect our systems. Furthermore, Microsoft and Amazon Web Services are engaged with us on additional scanning of our cloud environment. We will continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action and disconnect. 
 

As of right now, we see no evidence of lateral movement beyond the Change Healthcare environment. There is no evidence of cross-contamination or that this has moved beyond those boundaries.

On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfilatrated data. Ransomware was deployed nine days later. 

As we have addressed the many challenges in responding to this attack, including dealing with the demand for ransom, we have been guided by the overruling priority to do everything possible to protect peoples’ personal health information. 

Yes. At this time, we are doing everything possible in the interest of protecting our partners and patients. We have been transparent with law enforcement, and we will continue to coordinate with our law enforcement partners. Within hours of the ransomware launch, we contacted the FBI and remain in regular communication. We shared critical information, including details about the intrusion, the method of attack, Indicators of Compromise (IOC) and other information that would assist in their investigation.
 

This incident serves as yet another reminder of the interconnectedness of our health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the industry.

We remain confident in what our telemetry and controls demonstrated — that our Optum, UnitedHealthcare and UnitedHealth Group systems are safe and were not affected by this issue. While forensic analysis continues with Mandiant, we are confident in the safe restore date that was established. The forensic work led by Mandiant continues to validate that this attack stopped at the Change firewall. There has never been, nor is there now, any evidence of traversal to Optum, UnitedHealthcare, UnitedHealth Group or any other endpoint. 

We remain vigilant and, in partnership with Mandiant and Palo Alto Networks, our heightened and aggressive threat hunting continues across the Change, Optum, UnitedHealthcare and UnitedHealth Group environments. Palo Alto Networks’ Attack Surface Monitoring (ASM) is scanning all company domains and will remain in place indefinitely.

Here are some of the security measures we took while restoring Relay Exchange and Assurance services with an abundance of caution: 

• In partnership with AWS, we restored systems across accounts from clean backups.
• A leading cybersecurity platform, Trend Micro, completed scanning prior to services going into production. 
• Amazon’s Guard Duty was used to complete the initial scanning post restoration. 
• Palo Alto’s Unit 42 scanned the environment for malicious activity and unauthorized behavior.
• Change Healthcare also conducted vulnerability scans via Tenable.
• Bishop Fox penetration tested external-facing endpoints. 
• Servers supporting Assurance and Relay Exchange were re-scanned by Mandiant and confirmed cleared prior to moving the servers to the production environment.
• Documentation from Bishop Fox, Mandiant and UnitedHealth Group was made available for customers reconnecting to the service. 

Customers can obtain documentation with help from their client executive or by submitting a request via the link on this website. We have provided and will continue providing third-party assurances for products brought back into production. 

As we continue to restore products, please know that core services are being monitored 24/7 by the Optum Security Operations Center, Palo Alto and Mandiant, and this will continue. No service will return to production until it has been scanned by multiple agents, is under active monitoring by a third party, and has been cleared by Mandiant, Palo Alto or both. Consistent with industry practices, external points have been pen-tested, remediated where necessary and cleared.   

If you are still unsure how to safely reconnect or are running into questions or issues with security gateways, etc., please reach out to your client executive or submit a request via the link on this website. Our team is committed to getting everyone back up and running as safely and as quickly as possible.

We have said previously that we are investigating the extent of impacted data as quickly as possible, and we have an update on where we are.

A review of the data is underway by a leading forensics expert. At this time, we know that the data had some quantity of personal health information and personally identifiable information. We are working to determine the quantity of impacted data, and we are fully committed to providing notifications to impacted individuals when determinations are able to be made — and will work with the Office for Civil Rights and our customers in doing so.  

This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems. We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data. 

We continue to be vigilant, and we are committed to providing appropriate support to people whose data is found to have been compromised. 

We are committed to providing updates as we progress through the data, not just at the end. We also know customers are interested in hearing about what data is impacted to determine if they have notification obligations. We will be offering to do the notification work for customers where permitted.

Although Change Healthcare's data analysis is ongoing, the information involved may have included contact information (such as first and last name, address, date of birth, phone number, and email) and one or more of the following:  
 

• Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers); 
• Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);  
• Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or 
• Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers . 

The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review. Also, some of this information may have related to guarantors who paid bills for health care services. A guarantor is the person who paid the bill for health care services.

Change Healthcare works across the health system to support pharmacy claims transactions, provider claims processing, patient access and financial clearance, provider payments, and authorizations and medical necessity reviews. For example, Change Healthcare e-prescription solutions enable providers to electronically share prescriptions with pharmacies to generate prescriptions and then route prescriptions and claims to PBMs for approval and payment.

• Change Healthcare has begun mailing written notices to individuals affected by the February cybersecurity incident, in line with the process we announced in June. Because we are mailing on a rolling basis, we do not have a date when specific sets of individuals will receive notification, but the mailing will begin July 29.
• Change Healthcare is committed to notifying potentially impacted individuals as quickly as possible, given the volume and complexity of the data involved. Please note, we may not have sufficient addresses for all affected individuals.
• In addition, Change Healthcare provided a substitute notice link on June 20 that should remain prominently posted on the home page of your website until at least 90 consecutive days from the date you posted it. This substitute notice contains the information Change Healthcare can provide at this time while Change Healthcare is in its late stages of data review to identify affected individuals.
• If you have not already posted Change Healthcare’s HIPAA substitute notice on the home page of your website, we encourage you to do so. The substitute notice can be found at:  https://www.changehealthcare.com/hipaa-substitute-notice.

• Change Healthcare is proceeding as the delegate on behalf of HIPAA customers who have been notified by Change Healthcare that they were impacted and who have not opted out of Change Healthcare’s notification process.
• The OCR published a press release and updated its webpage on May 31, 2024, which makes clear that covered entity customers may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf. 
• Although you may wish to consult counsel to assess your legal obligations, this type of delegation is an industry standard practice.   
• To reduce burdens on impacted customers, Change Healthcare will validate addresses and will draft and send direct notice letters via U.S. mail to those individuals determined to be affected through data review attributable to specific customers, and for whom Change Healthcare has sufficient addresses, on behalf of impacted covered entity customers — unless those customers opt out by the specific deadline.

It is not necessary. Change Healthcare is proceeding as the delegate on behalf of HIPAA customers who have been notified by Change Healthcare that they were impacted and who have not opted out of Change Healthcare’s notification process.

However, if you would like to send employees/members information on support services, including credit monitoring and identity theft protections, you may do so.

A dedicated call center is available to offer free credit monitoring and identity theft protections for two years to anyone who believes they may have been impacted. The call center will also include trained clinicians to provide emotional support services to those who request it. Given the ongoing and complexity of data review, the call center will not be able to provide any specifics on individual data impact at this time. The call center can be reached at 1-866-262-5342.

Individuals can visit a dedicated website at changecybersupport.com to get more information and details on these resources.

We have established a dedicated call center to offer additional resources and information to people who are concerned they may have been affected by this incident. The call center can be reached at 1-866-262-5342. If you would like, you may refer your inquiring members and/or patients to contact this toll-free call center. You may also refer members and/or patients to our website at changecybersupport.com.