Credit: piter2121/Adobe Stock

Change Healthcare, which still is scrambling to recover from a costly cyberattack in February, may be facing a second security breach. Cybersecurity analyst Dominic Alvieri posted this week that hackers known as RansomHub claim to have accessed four terabytes of Change's data, including the personal details and medical records of "millions" of patients, and demanded payment within 12 days.

"Change Healthcare and United Health, you have one chance in protecting your clients' data," the hackers said, according to The Register, a British technology news website. "The data have not been leaked anywhere, and any decent threat intelligence would confirm that the data have not been shared nor posted. In the event you fail to reach a deal, the data will be up for sale to the highest bidder here."

Recommended For You

Change, which has neither confirmed nor denied the threat, told Becker's Health IT that "we are aware of these reports and continue to work with the authorities."

Change reportedly paid the BlackCat/ALPHV ransomware gang $22 million after the previous cyberattack that crippled the company's claims processing systems. The post from the new group means Change could be the victim of a "double extortion" attempt, cybersecurity researchers say.

" It is not uncommon, as an incident responder, to discover not just one threat inside of a compromised environment but two or more," Ken Dunham, cyberthreat director at Qualys Threat Research Unit, told Becker's. "It is also not uncommon for companies that give in to bad actors performing extortion, such as ransomware and distributed denial-of-service payouts, to become 'soft targets,' quickly hit again with additional forms of extortion."

However, he added, "While nobody advocates paying off an adversary, sometimes it is an action that ends up being the best course of action for a business based upon their risks and needs at the time of breach and impact."

At the same time, paying ransom demands could open the door to additional attacks.

Related: State Department offers $10M reward for ID of Change Healthcare hackers

"The fact that Change Healthcare was seemingly targeted again, possibly by the same actors under a new alias or affiliates, highlights a significant issue in the ransomware ecosystem — the lack of 'honor among thieves'," Javvad Malik, lead security awareness advocate for KnowBe4, told The Register. "While the initial payment of $22 million might have seemed like a resolution, it potentially opened the door for further extortion. It's a stark reminder that paying a ransom not only fails to guarantee data safety or non-disclosure but might also paint the organization as a repeat target for future attacks."

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Alan Goforth

Alan Goforth is a freelance writer in suburban Kansas City. In addition to freelancing for several publications, he has written a dozen books about sports and other topics.