Change Healthcare’s stolen ‘private’ patient data leaked by ransomware group

On Monday, the RansomHub cybercriminal hacking group followed through on threats to share sensitive medical and financial records stolen from Change Healthcare, despite the health tech firm allegedly paying a $22 million ransom.

Credit: Oleksii/stock.adobe.com

The group behind the massive cyberattack on Change Healthcare has followed through on threats to publish private patient information.

RansomHub on Monday posted several personal information files on its dark website, including billing files, insurance records and medical information. Some files also contained contracts and agreements between Change and its partners, according to the technology website TechCrunch.

RansomHub claims to possess four terabytes of data stolen from the UnitedHealth Group subsidiary. It demands an undisclosed amount of money in return for not selling the information, despite Change reportedly already having paid another cybercriminal group $22 million in ransom. Change took IT systems offline after the cyberattack in late February, leading to widespread claims processing delays across the United States.

This is the first time that cybercriminals have published evidence that they possess medical and patient records from the cyberattack. RansomHub is the second group to demand a ransom payment to prevent the release of stolen patient data in as many months, although UnitedHealth Group said there is no evidence of a new cyberattack incident.

“We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” said Tyler Mason, a spokesperson for UnitedHealth Group. “Our investigation remains active and ongoing,”

What is more likely, according to TechCrunch, is that a dispute between members and affiliates of the ransomware gang left the stolen data in limbo and Change exposed to further extortion. A Russia-based ransomware gang called ALPHV originally took credit for the data theft. Then in early March, ALPHV suddenly disappeared, along with a $22 million ransom payment that Change allegedly paid to prevent the public release of patient data.

An ALPHV affiliate, essentially a contractor that earns a commission on the cyberattacks they launch using the gang’s malware, went public. It claimed to have carried out the data theft but that the main ALPHV/BlackCat crew failed to pay their portion of the ransom and vanished, and that millions of patients’ data was “still with us.”

Wired, which first reported the second group’s extortion effort, cited RansomHub as saying it was associated with the affiliate that still had the data. UnitedHealth previously declined to say whether it paid the hackers’ ransom, nor did it say how much data was stolen in the cyberattack.

Ken Durham, cyber threat director for Qualys Threat Research Unit, told SC Media that this situation demonstrates that ransomware payouts are “tricky business.”

Related: State Department offers $10M reward for ID of Change Healthcare hackers

“This can be explained through shifts in the criminal marketplace, lying by bad actors, multiple compromises or other scenarios,” he said. “It is not uncommon for an incident responder to discover not just one threat inside of a compromised environment but two or more. It is also not uncommon for companies that give in to bad actors performing extortion to become ‘soft targets,’ quickly hit with additional forms of extortion again and again.”