Ransomware gang publishes part of stolen Change Healthcare records


A new ransomware and extortion gang that calls itself RansomHub has posted several files of Change Healthcare’s records, stolen during the cyberattack in February. The group says it has a lot more files.

Cybernews has seen the published records on RansomHub’s dark web leak site. They contain personal information about patients in different documents and include billing files and insurance and medical records.

As per usual for such gangs, RansomHub threatened to sell the data to the highest bidder unless Change Healthcare paid a ransom. It’s actually the first time cyber thugs have posted evidence that they have obtained sensitive data from a cyberattack.

ADVERTISEMENT

“The more we go through the data, the more we are shocked by the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself,” said RansomHub.

“Five days remain on the clock. The devastating effect can still be mitigated. Insurance providers should be really concerned as this will impact them and their clients beyond measure.”

ransom-hub-message
RansomHub's message on its dark web site.

Change Healthcare fell victim to a suspected nation-state cyberattack in February, forcing a system-wide shutdown. Many pharmacies reported being unable to process insurance claims through their systems, and social media lit up with users all over the country complaining they could not fill their prescriptions.

It took around three weeks for Change Healthcare to get its pharmacy and payment platforms back online.

The company's popular health IT services, including its payment and billing management platform, are used by thousands of healthcare facilities and their patients, making it one of the largest health technology firms in the US.

Thus, reputation obviously matters. The problem is that RansomHub is already the second extortion group to demand a ransom payment for the stolen patient data, and Change Healthcare already allegedly paid a $22 million ransom to ALPHV, a Russia-based gang, in early March.

It seems that a dispute between ALPHV and its affiliates within their criminal ecosystem left the stolen data in limbo, Wired reported last week, essentially condemning Change Healthcare to further extortion.

ADVERTISEMENT

That’s because ALPHV apparently vanished after capturing the $22 million ransom payment, even though an affiliate actually executed February’s cyberattack. The affiliate then gave over four terabytes of stolen data to another ransomware gang – or even established it themselves.

The US Department of Health and Human Services (HHS) has already opened an investigation into the cyberattack.

The goal of the investigation is whether the breach of protected health information occurred as laid out in the US Health Insurance Portability and Accountability Act of 1996 (HIPAA), which enforces the proper protection of a person's private health information among healthcare entities in the country.