Cybersecurity

ALPHV website goes down amid growing fallout from Change Healthcare attack

The website used by the ransomware group believed to be responsible for the breach of one of the United States’s largest health care payment processors went down Friday amid reports that the incident has put major financial pressure on medical providers and made it difficult for consumers to get the medicine they need.

It’s not yet clear why the website for ALPHV, also known as BlackCat, was down Friday afternoon. The FBI — which had led an operation that seized some of the site’s infrastructure in December, only to have the group bounce back a short time later — did not respond to a request for comment. Websites used by ransomware groups are sometimes unreliable, going up and down, but the site had been accessible this week and even into Friday.

Health providers across the country have said the attack on Change Healthcare has hampered their ability to process payments. Some smaller practices may have to close down if the problem persists, NBC News reported Friday.

Rick Pollack, the president and CEO of the American Hospital Association, said in a statement that the attack was “the most serious incident of its kind leveled against a U.S. health care organization.”

Advertisement

The most recent update from Change Healthcare, posted Friday afternoon, said the company had put up a “new instance” of its Change Healthcare Rx ePrescribing service and enabled it for all customers as of 1 p.m. central time.

“We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action,” the statement read. The company had previously said it was working with law enforcement and the cybersecurity firms Palo Alto Networks and Mandiant to respond to the incident.

The Department of Health and Human Services did not immediately respond to a request for comment.

Eric Goldstein, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, told CyberScoop in an emailed statement Friday that CISA “is working with our partners and Change Healthcare to support remediation, assist impacted organizations, and share timely information to reduce the likelihood of similar intrusions.”

ALPHV has claimed responsibility for the attack on Change Healthcare, a subsidiary of Optum and UnitedHealth Group, the largest health care company in the U.S. with revenues of nearly $372 billion in 2023. Change Healthcare processes 15 billion health care transactions annually and touches 1 in every 3 patient records, according to the American Hospital Association.

Advertisement

In December, the FBI carried out an operation to takedown infrastructure associated with ALPHV, but the group immediately returned, claiming to have “unseized” the infrastructure targeted by law enforcement. Since then, the group has stepped up its attacks on health care organizations.

ALPHV is a notorious ransomware-as-a-service operation with a track record of attacks around the world and said in a message on its website Wednesday that the group obtained 6 terabytes of “sensitive” information in its attack.

Change Healthcare detected the attack on Feb. 21 and quickly assessed that its outages were the result of a cyberattack, according to a rolling update posted to the company’s website.

The company “proactively isolated the impacted systems from other connecting systems,” UnitedHealth Group said in a Feb. 21 Securities and Exchange Commission filing. Meanwhile, “thousands of organizations” cut Change Healthcare off from their systems to prevent their own systems from getting hacked, further compounding the impact on health care providers and their patients, the Washington Post reported Friday.

Mandiant confirmed Friday it had been engaged by Change Healthcare but declined to comment further. Palo Alto Networks did not respond to a request for comment.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).