Optum Security Incident

Keith Kirkland Updated by Keith Kirkland

High-Level Summary of the Security Advisory

Optum, Inc., a subsidiary of UnitedHealth Group, is an American healthcare services provider that operates in technology and related services, pharmacy care services, and various direct healthcare services. Optum operates the Change Healthcare platform, which serves as a payment processing platform aimed at establishing an adaptive health system for patients, payers, and care providers.

On February 21, 2024, UnitedHealth Group filed an 8-K report with the SEC, confirming that a cyberattack, attributed to suspected "nation-state" hackers, was responsible for the disruption to Optum's Change Healthcare services. The threat actor had gained access to the Change Healthcare information technology systems and disrupted a number of its systems and services.

As per the 8-K filing, Optum disconnected its systems upon detection to safeguard its partners and patients. Efforts are underway to restore normal operations, although the duration and extent of the disruption remain undetermined. Optum has engaged leading security experts, collaborated with law enforcement, and notified relevant stakeholders, including customers, clients, and government agencies. 

The American Hospital Association (AHA) issued a Cybersecurity Advisory on February 22, 2024, advising organizations that use Change Healthcare impacted services to develop downtime procedures and contingency plans in case of prolonged unavailability. As of February 23, 2024, Change Healthcare began including the following statement in their regular updates, “We have a high level of confidence that Optum, UnitedHealthcare, and UnitedHealth Group systems have not been affected by this Issue.”

Following the incident, the American Hospital Association issued an update on February 24, 2024, advising healthcare organizations that were disrupted or potentially at risk to disconnect from specified Change Healthcare applications that remain unavailable due to the cyberattack, as identified on the Change Healthcare application status page. Additionally, the advisory notes that open-source statements and press reports have linked the cyberattack to the exploitation of the ConnectWise vulnerability, prompting the U.S. government's prior recommendation for immediate patching of this vulnerability.

Should I be concerned?

Maybe. It depends on if you have a relationship with Change Healthcare, Optum, UnitedHealthcare, or UnitedHealth Group. Click on the link below to find out if you have a relationship with this vendor or its subsidiaries. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. You may also want to search your Relationship List for the names (eg. Change Healthcare, Optum, UnitedHealthcare, or UnitedHealth Group) to confirm.

What to do if you or your vendors have an active relationship with Optum, Change Healthcare, UnitedHealthcare, or UnitedHealth Group

As of the February 26, 2024 status update from Optum, the company is working on multiple approaches to restore the impacted environment amid the ongoing investigation. The Form 8-K filing states that Optum has yet to ascertain whether the incident is likely to have a significant impact on the company's financial standing or operational outcomes.The American Hospital Association (AHA) has issued the following recommendations in their advisory:

  • All healthcare organizations affected or potentially exposed by this incident should consider disconnecting from Optum until it is independently determined to be safe to reconnect.
  • Organizations using Change Healthcare services that have been impacted should develop downtime procedures and contingency plans in case these services remain unavailable for an extended period.
  • The AHA advises each healthcare organization to continuously monitor and independently assess information provided by Change Healthcare to make risk-based decisions regarding systems that have not been impacted.

We recommend that you follow the status updates, promptly reach out to Optum, and conduct a thorough investigation to assess any potential impact of the incident. Subsequently, implement the requisite remedial actions.

--------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com

For any additional questions, please reach out to your customer success manager.

Stay ahead of the curve with our Public Risk Notice Alerts!

Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.

Sign up today to fortify your organization's security.

The VISO TRUST team

—----------—----------—-----

How did we do?

Sisense Security Incident

Persistent Malicious Campaign: Exploiting Exchange Server Vulnerability Leading to Data Breach in Azure Cloud Environments

Contact