RansomHub Ransomware Gang Leaks Stolen Change Healthcare Data

Written by Mitchell Langley

April 17, 2024

RansomHub Ransomware Gang Leaks Stolen Change Healthcare Data

The ransomware group known as RansomHub has started releasing what they assert to be corporate and patient data obtained from Change Healthcare, a subsidiary of United Health.

The extortion process surrounding this incident has been complex and protracted and adds to the challenges faced by the affected company.

Change Healthcare experienced a cyberattack in February that had far-reaching consequences for the US healthcare system.

The cyberattack resulted in extensive disruptions, hampering the ability of pharmacies and doctors to bill or submit claims to insurance companies.

Investigators later linked the attack to the BlackCat/ALPHV ransomware operation, which claimed to have stolen a staggering 6 terabytes of data during the incident.

Subsequently, the BlackCat gang faced intensified scrutiny from law enforcement agencies. Under mounting pressure, they chose to cease their criminal activities.

This decision came amidst allegations that they were attempting to execute an exit scam, involving the misappropriation of a $22 million ransom payment made by Change Healthcare to the affiliate responsible for the attack.

While Change Healthcare has declined to comment on whether it has paid a ransom, the affiliate known as “Notchy” said they would extort Change Healthcare again as they still had the company’s data.

Double-Extortion at Its Best: RansomHub and Notchy Extorts Change Healthcare

Following the shutdown of the BlackCat gang, a new development emerged involving the affiliate known as Notchy, who formed a partnership with the RansomHub ransomware gang. Despite allegations that Change Healthcare had already paid a ransom, the threat actors targeted the company once again.

On the RansomHub data leak site, the threat actor issued a statement, warning that unless Change Healthcare and United Health reached a mutually agreeable resolution, all the stolen data would be publicly released.

Today, one week later, the threat actors have taken action by leaking screenshots of files that they claim were extracted from Change Healthcare during the ransomware attack that occurred in February.

The leaked screenshots from the recent data breach of Change Healthcare reveal several concerning aspects.

Included in the screenshots are data-sharing agreements between Change Healthcare and prominent insurance providers such as CVS Caremark, Health Net, and Loomis.

Additionally, the compromised data includes various financial documents such as aging reports and insurance payment records, which could have significant implications for the company.

However, the most alarming aspect of the leaked data is the presence of patient information. This sensitive data includes details about the amounts owed and bills for the services patients received, which raises serious privacy concerns and potential risks for the affected individuals.

In a further display of their malicious intent, the threat actors have now set forth an ultimatum to Change Healthcare. They demand payment within five days, threatening to sell the data to the highest bidder if their extortion demands are not met. This places additional pressure on the company to take decisive action to protect both patient confidentiality and their own reputation.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!