Inside UnitedHealth Group's Encounter with Ransomware

Haluk Ulubay
Haluk Ulubay
17 May 2024

What Happened to UnitedHealth?

UnitedHealth Group Incorporated is an American multinational health insurance and services company with HQ in Minnetonka, Minnesota; among others, it operates well known USA insurance and healthcare companies such as UnitedHealthCare and Optum. 

On February 21, 2024, Change Healthcare, a technology company acquired by UnitedHealth Group on October 3rd, 2022, announced that it was hit by a significant ransomware attack orchestrated by the BlackCat / ALPHV ransomware group. In a filing to the US Securities and Exchange Commission (SEC), UnitedHealth said the attack was perpetrated by a “suspected nation-state associated cybersecurity threat actor.” It subsequently confirmed it had fallen victim to the BlackCat group. (*) 

The incident was described by Rick Pollard, American Hospital Association (AHA) President and CEO, on March 5 as “the most significant and consequential incident of its kind against the US healthcare system in history.” This is due to its impact on hospitals’ ability to provide patient care, fill prescriptions, submit insurance claims, and receive payment for their healthcare services. The AHA also wrote a letter to Congress on March 4 asking for financial support to physicians impacted by the outage. On March 5, the US Department of Health and Human Services announced new measures to help healthcare providers to continue to serve patients amid the difficulties in processing payments. Change Healthcare also provided free credit monitoring and identity theft protection services for the victims of the attack, and they have established a dedicated website and call center for affected individuals to receive support and updates. (**). 

Following the attack, UnitedHealth Group took immediate action to disconnect the affected systems to mitigate the impact and protect partner and patient data. Despite these measures, the cyberattack caused substantial disruptions in healthcare services and financial transactions. While UnitedHealth Group was confirming the attack, it began efforts to restore the impacted services. They also paid a ransom of approximately $22 million to address the situation, as confirmed by their CEO, Andrew Witty.

Furthermore, to address the financial disruptions caused by the cyberattack, UnitedHealth Group initiated a Temporary Funding Assistance Program to aid providers affected by the payment system outage. This program was designed to help bridge the short-term cash flow gaps that arose due to the attack. However, the terms of this support program received criticism from the American Hospital Association for its stringent conditions​​.


Timeline of Events

May 2024

  • May 3: The written testimony UnitedHealth Group CEO Andrew Witty presented to the U.S. House Energy and Commerce Committee said that cyber operatives used stolen credentials to access a remote access tool that wasn't enabled with multi factor authentication (MFA) to break into UnitedHealth’s network.

April 2024

  • April 25: UnitedHealth Group confirmed, and Mt. Witty claimed full responsibility that UnitedHealth had paid a ransom demanded by hackers who struck its Change Healthcare insurer unit in February.

  • April 22: UnitedHealth Group said the ransomware hit on its Change Healthcare unit cost the company $872 million in the first quarter of 2024. For all of 2024, UnitedHealth expects the full impact of the attack will run to $1.35 billion to $1.6 billion.

March 2024

  • March 27: Sen. Mark Warner (D-VA) proposed a new bill that will impose a set of requirements to the healthcare organizations: They would face minimum cybersecurity standards and a set of requirements on how they protect data and conduct business. 

  • March 13: Change Healthcare's pharmacy network is back online. (Source: Reuters)

  • March 7: Change’s electronic prescription system is fully operable for claims and payments.

  • March 6: UnitedHealth faces five federal lawsuits over the attack. (Source:

  • March 3: Blackcat receives a Bitcoin payment of $22 million, Reuters reports.

  • March 1: UnitedHealth Group reports that a cyberattack at its tech unit, Change Healthcare, was perpetrated by hackers who identified themselves as the Blackcat ransomware group. (Source: Reuters)

February 2024

  • February 29: Healthcare providers across the United States are struggling to get paid following the week-long ransomware outage at UnitedHealth Group, with some smaller providers saying they are already running low on cash (Source: Reuters)

  • February 28: SC Magazine, a CyberRisk Alliance media outlet and affiliate publication of MSSP Alert, reports that the cybersecurity incident at UnitedHealth's Change Healthcare that led to slowdowns at pharmacies was caused by a “strain of LockBit malware” that was used to exploit the vulnerabilities in ConnectWise ScreenConnect.

In a statement to MSSP Alert, ConnectWise said that it "cannot confirm any direct connection between the vulnerability with ScreenConnect and the incident reported by Change Healthcare. Its initial review indicates that Change Healthcare is not a direct customer of ConnectWise and says it has not received any reports from any of its managed service provider (MSP) partners indicating that Change Healthcare is one of their customers either.

  • February 27: In a status update last posted on its website on February 27, Optum says it is “working on multiple approaches” to restore its systems and “will not take any shortcuts or take any additional risk as we bring our systems back online.”

  • February 26: Ransomware group BlackCat claims responsibility for the attack. (Source:

  • February 21: Optum, a subsidiary of UnitedHealth, which merged with Change Healthcare in 2022, reports a massive breach of its IT system, severely impacting its ability to fill prescriptions. Optum lists more than 100 Change Healthcare services that were affected by the breach.

What was The Impact of The Unitedhealth Ransomware to The Healthcare Industry?

Overall, the cyberattack on Change Healthcare served as a critical reminder of the vulnerabilities in healthcare technology systems, stressing the importance of robust cybersecurity strategies to protect against and mitigate the effects of such incidents.

This event highlights the critical importance of cybersecurity measures in protecting vital healthcare infrastructure and data.

In particular:

Increased Focus on Cybersecurity: The attack highlighted the vulnerability of healthcare systems to cyber threats, prompting a reassessment of cybersecurity practices within the industry. This incident led to an increased emphasis on threat hunting, monitoring tools, and better preparedness against similar attacks in the future (American Hospital Association)

Regulatory and Compliance Challenges: The attack also brought regulatory and compliance issues to the forefront, particularly concerning data protection and breach notification. It underscored the need for stringent cybersecurity protocols and compliance with regulatory standards to protect patient data (American Hospital Association).

Government and Industry Response: In response to the attack and its impact, government agencies and industry groups emphasized the need for improved cybersecurity measures across the healthcare sector. This included recommendations for better ransomware preparedness and guidelines for responding to such cyber incidents (American Hospital Association)​​ (PYA).

Patient Trust and Data Privacy Concerns: The potential exposure of personal health information (PHI) and personally identifiable information (PII) raised concerns about patient privacy and trust in healthcare providers' ability to safeguard sensitive data. UnitedHealth Group took steps to monitor the dark web for any publication of the data and offered support services to potentially impacted individuals (Welcome to UnitedHealth Group).

What is a Ransomware Attack?

A ransomware attack is a type of cyber-attack where the attacker encrypts the victim's data, effectively locking them out of their own systems or files. The attacker then demands a ransom from the victim in exchange for the decryption key needed to regain access to the data. These attacks can target individuals or organizations, and the ransom is typically demanded in cryptocurrency to maintain the anonymity of the attacker.

Ransomware can enter systems through various means, such as phishing emails, malicious advertisements, or exploiting security vulnerabilities in software. Once installed, the ransomware can spread across networks, encrypting files on both local drives and networked systems.

The consequences of ransomware attacks can be severe, including loss of critical data, disruption of operations, financial losses from paying the ransom, and potential harm to an organization's reputation. Moreover, paying the ransom does not always guarantee that the data will be decrypted or that the malware has been completely removed from the system.

To protect against ransomware, it is recommended to maintain up-to-date antivirus software, regularly backup data, and educate users on cybersecurity best practices.

How Can You Protect Your Organization From Ransomware Attacks?

Protecting your organization from a ransomware attack involves several critical steps that focus on prevention, preparation, and response. Here are some key strategies to safeguard your systems:

Regular Backups: Ensure regular backups of all critical information are made and stored in a location not connected to your main network. This way, if your data is encrypted during a ransomware attack, you can restore it from the backup without needing to pay the ransom.

Update and Patch Systems: Keep your operating system, software, and applications up to date. Regularly applying security patches and updates reduces vulnerabilities that cybercriminals exploit in ransomware attacks.

Use Antivirus and Anti-Malware Solutions: Install and maintain reputable antivirus and anti-malware software to detect and stop malicious attacks before they can execute. Ensure that your security software is always up to date.

Educate and Train Users: Conduct regular training sessions with your users about the risks of phishing emails, malicious attachments, and dubious links. Users should know not to open unexpected links or attachments and to report suspicious emails immediately.

Implement Access Controls: Limit user access rights to files and directories based on the needs of their role. Implementing least privilege can minimize the impact of ransomware by restricting it to fewer files.

Employ Network Segmentation: Divide your network into segments to prevent the spread of ransomware. If one segment is compromised, it is harder for the ransomware to spread to other parts of the network.

Enable Email Filtering: Set up email security features that filter out emails with known phishing indicators and block dangerous file types as attachments.

Use Network Security Tools: Deploy firewalls, intrusion detection systems, and intrusion prevention systems to monitor and control incoming and outgoing network traffic for unusual or unauthorized activity.

Disable Macro Scripts: Configure security settings to block macro scripts from office files transmitted via email. Macros can be used to trigger ransomware.

Implement Incident Response Plan: Have a ransomware incident response plan in place. Knowing what steps to take immediately after discovering a ransomware attack can significantly reduce its impacts and improve recovery time.

These strategies form a comprehensive approach to minimize the risk of a ransomware attack and its potential damage. Regularly reviewing and updating your cybersecurity measures and response plans is also crucial as threats evolve.

How Can Zero Trust Network Architecture Help Prevent Ransomware Attacks?

Zero Trust Network Access (ZTNA) can significantly mitigate the risks of ransomware attacks through its stringent security protocols that challenge traditional network security models. Here’s how ZTNA helps prevent ransomware attacks:

Least Privilege Access: ZTNA operates on the principle of least privilege (a.k.a., “Never Trust, Always Verify”), which means users are granted the minimum access necessary for their job functions. By limiting access rights, ZTNA reduces the potential impact of ransomware by restricting its ability to spread across the network.

Micro-segmentation: This involves dividing the network into smaller, distinct zones, ensuring that a security breach in one segment cannot easily spread to another. Micro segmentation under ZTNA makes it harder for ransomware to move laterally across a network once it gains entry.

Multi-factor Authentication (MFA): ZTNA typically enforces MFA to verify the identity of users before granting access to network resources. This additional layer of security helps prevent unauthorized access, especially if credentials are compromised, which is a common vector for ransomware attacks.

Continuous Monitoring and Verification: Zero Trust security models continuously monitor and validate the security posture of devices and users on the network. This ongoing verification helps detect and respond to anomalies or suspicious behaviors that could indicate a ransomware attack.

Security Policies Enforcement: ZTNA allows for detailed security policies based on user, device, location, and other contextual factors. These policies are enforced dynamically, adjusting access rights based on real-time assessment of risk, thus reducing the potential attack surface for ransomware.

Endpoint Security Integration: By integrating endpoint security solutions, ZTNA ensures that devices comply with security standards before accessing network resources. This can prevent compromised devices potentially harboring ransomware from connecting to the network.

Implementing a ZTNA solution, such as Timus Network’s ZTNA, can be a crucial step in strengthening an organization's cybersecurity posture against ransomware and other cyber threats. By providing, automating, and enforcing utilization of such functionalities as a dedicated private gateway with a static IP address that can be used to control access to business critical SaaS apps, Device Posture Checks (DPC), micro-segmentation and granular access to resources, adaptive MFA, and integration with Endpoint Protection Platforms such as BitDefender, SentinelOne, and Microsoft Defender, it reduces the avenues through which attackers can exploit network vulnerabilities. 

What is BlackCat/ALPHV?

The ALPHV-BLACKCAT Ransomware group leverages previously compromised user credentials (with some stealer) to gain initial access to the victim system. The ALPHV-BLACKCAT Ransomware group also performs targeted attacks via spear phishing. In a filing with the Securities and Exchange Commission, UnitedHealth Group originally attributed the attack to “a suspected nation-state associated cyber security threat actor.” Researchers have said Blackcat/AlphV is a Russian-speaking operation but have not linked it to any government. Threat actors using BlackCat often employ triple extortion tactics, demanding a ransom to decrypt infected files, to not publish stolen data, and to not launch a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack against the victim.


(*) Welcome to UnitedHealth Group

(**) ADA News, American Hospital Association

(***) Welcome to UnitedHealth Group

(****) Source: MSSP Alert

request a demo