DMR News

Advancing Digital Conversations

Ransomware Gang Leaks Stolen Patient Data from Change Healthcare

ByHilary Ong

Apr 18, 2024

Ransomware Gang Leaks Stolen Patient Data from Change Healthcare

Change Healthcare has once again been thrust into the cybersecurity spotlight, as a new extortion group known as RansomHub recently released several files containing sensitive patient data on its dark web site.

This latest development follows a ransomware attack on Change Healthcare which initially occurred in February. The released files include personal patient information across various documents, such as billing files, insurance records, and medical data, along with contracts and agreements between Change Healthcare and its partners.

RansomHub’s Threat to Sell Patient Data

This release by RansomHub marks a significant escalation in the aftermath of the ransomware attack, as it is the first time cybercriminals have publicly disclosed possession of such sensitive medical and patient records.

RansomHub has also issued a threat to sell the stolen data to the highest bidder unless they receive a ransom payment from Change Healthcare. This situation complicates the security challenges for Change Healthcare, as they now face extortion demands from two different groups within a two-month span.

How Is UnitedHealth Group Handling the Breach?

Despite these threats, UnitedHealth Group has indicated that there is no evidence of a new cyber incident. Tyler Mason, a spokesperson for UnitedHealth Group, emphasized their ongoing efforts to assess the impact of the data disclosed online, stating, “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data. Our investigation remains active and ongoing.”

Further complicating matters is the background of how this sensitive data came into RansomHub’s possession.

A Russia-based ransomware gang, ALPHV, also known as BlackCat, initially claimed responsibility for the data theft at Change Healthcare. However, in early March, ALPHV seemingly vanished after allegedly receiving a $22 million ransom payment meant to prevent the release of the stolen data. An affiliate of ALPHV—a contractor who carries out cyberattacks using the gang’s malware—later came forward claiming to have executed the theft but was cheated out of their share of the ransom payment by the main ALPHV group, who disappeared with the funds.

Now, RansomHub’s statement, “we have the data and not ALPHV,” contradicts earlier claims and suggests a potential dispute among the ransomware group members. This internal conflict has left the stolen data in a precarious position, subject to further extortion attempts by RansomHub. Wired reported on this new development and the intricacies of the dispute within these cybercriminal circles last Friday.

What Measures Has UnitedHealth Group Taken Post-Breach?

Amid these developments, UnitedHealth Group has not confirmed whether the ransom was paid or disclosed the full extent of the stolen data. However, they announced on March 27 that they had secured a dataset “safe for us to access and analyze,” which they obtained in exchange for the ransom payment. This dataset is now a priority for review by UnitedHealth Group, particularly focusing on sections likely containing health information, personally identifiable information, and financial details.

As of now, the investigation continues with cooperation from law enforcement and cybersecurity experts, aiming to mitigate the damage and prevent future breaches of this nature.


Related News:


Featured Image courtesy of PATRICK T. FALLON/AFP via Getty Images

Hilary Ong

Hello, from one tech geek to another. Not your beloved TechCrunch writer, but a writer with an avid interest in the fast-paced tech scenes and all the latest tech mojo. I bring with me a unique take towards tech with a honed applied psychology perspective to make tech news digestible. In other words, I deliver tech news that is easy to read.

Leave a Reply

Your email address will not be published. Required fields are marked *