RansomHub Strikes Optum: A Cyberattack Analysis

Incident Date:

April 16, 2024

World map



RansomHub Strikes Optum: A Cyberattack Analysis


Change HealthCare - OPTUM Group - United HealthCare Group - FOR SALE




Eden Prairie, USA

Minnesota, USA

First Reported

April 16, 2024

RansomHub Targets Optum: A Detailed Analysis of the Cyberattack

Overview of Optum

Optum is a prominent health services and innovation company, part of the UnitedHealth Group. It operates across three main sectors: OptumHealth, OptumInsight, and OptumRx, focusing on data and analytics, pharmacy care services, population health, healthcare delivery, and operations. With a global footprint in over 150 countries, Optum reported a revenue of $226.6 billion in the fiscal year 2023 and employs more than 10,001 individuals. The company's headquarters are located in Eden Prairie, Minnesota, USA.

Details of the Ransomware Attack

RansomHub, a new ransomware group, has recently claimed responsibility for an attack on Change Healthcare, a subsidiary of UnitedHealth Group, which includes Optum. The group alleges to have acquired 4TB of sensitive data previously stolen by the ALPHV/BlackCat group. This data purportedly contains medical and dental records, payment and claims information, personal identifiable information (PII) of patients and active U.S. military personnel, along with over 3,000 source code files.

Why Optum Was Targeted

Optum's significant data assets and integral role in healthcare make it a prime target for cybercriminals. The vast amount of sensitive personal and medical information handled by the company increases its attractiveness for ransomware attacks, which aim to exploit such data for financial gain. Additionally, the interconnected nature of healthcare data across various subsidiaries like Change Healthcare amplifies the potential impact of breaches, making comprehensive cybersecurity measures essential for such organizations.

Implications of the Attack

The breach poses severe risks not only to the privacy of millions of individuals but also to the operational integrity of Optum. The exposure of source code files could potentially allow for further cyberattacks, complicating recovery efforts and undermining trust in Optum's ability to safeguard sensitive information.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.