Double-extorted Change Healthcare says “a substantial proportion” of Americans exposed

Health insurance behemoth UnitedHealth Group has confirmed that cyberattackers compromised a massive trove of sensitive data from its tech branch Change Healthcare, which could cover a “substantial proportion of people in America.” Meanwhile, a second ransomware group that was demanding payments has delisted the company from its victim's page.

In the latest statement, UnitedHealth said that files exfiltrated by cybercriminals contain protected health information (PHI) or personally identifiable information (PII). They could “cover a substantial proportion of people in America.”

“There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time,” the press release reads.

While the company continues to monitor the dark web for leaks, it has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.

It’s not clear how many Americans are exposed, and they have no way of knowing if they’re affected.

“It is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” UnitedHealth said.

The company set up a dedicated call center to offer free credit monitoring and identity theft protections for two years to anyone who believes they’re impacted.

UnitedHealth filed disclosure with the US Securities and Exchange Commission (SEC) on 22nd February, revealing that “a suspected nation-state associated cybersecurity threat actor had gained access to some of the Change Healthcare information technology systems.”

The cyberattack disrupted healthcare and billing information operations across the healthcare industry.

In its latest statement, the group said that “Change Healthcare has made continued strong progress restoring services impacted by the event.”

Pharmacy services and medical claim flows are now back to near-normal levels, payment processing by Change Healthcare is at approximately 86% of pre-incident levels, and 80% of other functionality has been restored on the major platforms and products.

“The company expects full restoration of other systems to be completed in the coming weeks.”

Change Healthcare processes about half of all American medical claims in the US for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories.

Two ransomware gangs were demanding payments, now silent

Cybernews previously reported that the ALPHV/BlackCat ransomware, a notorious Russian-linked ransomware gang, was suspected of the attack.

After two months, Change Healthcare confirmed to the media that it paid a ransom to the hackers “as part of the company’s commitment to do all it could to protect patient data from disclosure,” Wired reported.

ALPHV apparently vanished, faking its own takedown in early March after capturing the $22 million ransom payment. It left an affiliate that actually executed February’s cyberattack without payment and complaining on the dark web. This also left the stolen data in limbo.

Soon, a new ransomware and extortion gang was established, which called itself RansomHub. RansomHub claimed they had the stolen data and not ALPHV.

The gang posted several files of Change Healthcare’s records on April 15th, giving five days to pay and avoid the “devastating effect” of publishing a 4TB data chest.


At the time of writing, the Change Healthcare entry on RansomHub’s victim site has been removed.

Despite paying or not paying, Change Healthcare still faces the risk of cybercriminals leaking sensitive medical records.

While the investigation is ongoing, UnitedHealth recommends being on the lookout and regularly monitoring the explanation of benefits statements you receive from your health plan and statements from your health care providers, as well as your bank and credit card statements, credit reports, and tax returns, to check for any unfamiliar activity.

“If you notice any health care services you did not receive listed on an explanation of benefits statement, please contact your health plan or doctor,” the company said. “If you notice any suspicious activity on either your bank or credit card statements or on your tax returns, please immediately contact your financial institution and/or credit card company or relevant agency.”

More from Cybernews:

Global lottery of memecoins swings between new asset class and scams

UK's new AI traffic cameras monitor seatbelt use, raise privacy concerns

Germany arrests three suspected of giving technology to China

Meta spokesperson Andy Stone sentenced to six years by Russian court

Phishers use Nespresso links, exploiting redirect vulnerability

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked