In a shocking development, an extortion group has published a portion of what it says are the private and sensitive patient records on millions of Americans stolen during the ransomware attack on Change Healthcare in February.
RansomHub Threatens to Sell Stolen Data
On Monday, a new ransomware and extortion gang that calls itself RansomHub published several files on its dark web leak site containing personal information about patients across different documents, including billing files, insurance records, and medical information. Some of the files also contain contracts and agreements between Change Healthcare and its partners.
RansomHub has threatened to sell the data to the highest bidder unless Change Healthcare pays a ransom.
A Second Group Demands Ransom Payment
This is not the first time that cybercriminals have published evidence that they have in their possession medical and patient records from the cyberattack. However, it’s the second group to demand a ransom payment to prevent the release of stolen patient data in as many months.
UnitedHealth Group, the parent company of Change Healthcare, said there was no evidence of a new cyber incident. "We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data," said Tyler Mason, a spokesperson for UnitedHealth Group. "Our investigation remains active and ongoing."
A Dispute Between Ransomware Gang Members?
What’s more likely is that a dispute between members and affiliates of the ransomware gang left the stolen data in limbo and Change Healthcare exposed to further extortion.
A Russia-based ransomware gang called ALPHV took credit for the Change Healthcare data theft. Then, in early March, ALPHV suddenly disappeared along with a $22 million ransom payment that Change Healthcare allegedly paid to prevent the public release of patient data.
An ALPHV affiliate — essentially a contractor who earns a commission on the cyberattacks they launch using the gang’s malware — went public claiming to have carried out the data theft at Change Healthcare, but that the main ALPHV/BlackCat crew stiffed them out of their portion of the ransom payment and vanished with the loot. The contractor said the millions of patients’ data was "still with us."
Now, RansomHub says "we have the data and not ALPHV." Wired, which first reported the second group’s extortion effort on Friday, cited RansomHub as saying it was associated with the affiliate that still had the data.
UnitedHealth’s Response
UnitedHealth previously declined to say whether it paid the hackers’ ransom, nor did it say how much data was stolen in the cyberattack. The healthcare giant said in a statement on March 27 that it obtained a dataset "safe for us to access and analyze," which the company obtained in exchange for the ransom payment.
TechCrunch learned from a source with knowledge of the ongoing incident that UHG said it was "prioritizing the review of data that we believe would likely have health information, personally identifiable information, claims and eligibility or financial information."
Fears Grow That Patient Data Could Spill Online
As the Change Healthcare outage drags on, fears grow that patient data could spill online. This is a worrying development for patients who may be affected by the breach.
What’s Next?
The situation is fluid, and it’s unclear what will happen next. However, one thing is certain: the cyberattack on Change Healthcare has exposed millions of Americans’ sensitive information to potential exploitation.
Timeline of Events
- February 2023: Ransomware attack on Change Healthcare
- Early March 2023: ALPHV takes credit for the data theft and demands a ransom payment
- Early March 2023: ALPHV disappears along with a $22 million ransom payment
- Mid-March 2023: An ALPHV affiliate goes public claiming to have carried out the data theft but was stiffed by the main gang
- Friday, [insert date]: RansomHub publishes evidence of stolen patient records on its dark web leak site
What You Need to Know
- Millions of Americans’ sensitive information has been exposed in the cyberattack on Change Healthcare
- A second group, RansomHub, is demanding a ransom payment to prevent the release of stolen data
- UnitedHealth Group says it’s investigating the claims but denies any evidence of a new cyber incident
- The situation is fluid, and it’s unclear what will happen next
Stay Informed
To stay up-to-date with the latest developments on this story, follow our security coverage.
Related Stories
- UnitedHealth hid its Change Healthcare data breach notice for months
- Hackers are exploiting a new Fortinet firewall bug to breach company networks
Subscribe to Our Newsletter
Stay informed about the latest security news and trends. Subscribe to our newsletter today.
By submitting your email, you agree to our Terms and Privacy Notice.
