RansomHub Group Threatens to Sell 4GB of Stolen Change Healthcare Data
On February 21, 2024, Change Healthcare suffered a ransomware attack that forced the company to take its systems offline, resulting in weeks of disruption for the healthcare organizations that rely on its systems. Change Healthcare has confirmed that the hackers behind the attack gained access to systems that contained Americans’ protected health information but has not stated the types of data involved or the number of individuals affected. Given that Change Healthcare processes around 15 billion healthcare transactions a year and its systems touch the data of one in three Americans, the data breach could be huge. To make matters worse, a ransomware group has put the data up for sale and will hand it over to the highest bidder.
That ransomware group is RansomHub. RansomHub is a new cybercriminal group that claims to hold around 4GB of data stolen from Change Healthcare in its February 21, 2024, ransomware attack, but RansomHub did not conduct that attack. The Change Healthcare ransomware attack was conducted by an affiliate of the ALPHV/Blackcat ransomware-as-a-service group called Notchy.
Under the ransomware-as-a-service model, ransomware groups recruit affiliates to conduct attacks and then pay them a percentage of any ransom payments they generate. While it has not been confirmed by Change Healthcare, a ransom payment of $22 million was paid to ensure the stolen data was deleted. According to Notchy, the ALPHV group failed to pay his cut of the ransom payment. While ALPHV claims that law enforcement intercepted the payment, the group pocketed the funds as part of an exit scam and shut down the ransom operation.
Notchy pulled off what has been described as the worst ever healthcare cyberattack – one that UnitedHealth Group expects to cause up to $1.6 billion in losses this year alone – yet didn’t get paid; however, Notchy said that they were still in possession of 4TB of data stolen from Change Healthcare. All went quiet until RansomHub issued Change Healthcare and UnitedHealth Group with a ransom demand, claiming they held the stolen data, not the ALPHV group.
It appears that Notchy was recruited by RansomHub as an affiliate, and provided the stolen data in an attempt to get paid. On Monday, RansomHub started leaking the stolen data. Several screenshots were published that showed contracts between Change Healthcare and its healthcare provider and health plan clients, along with invoice information, claims data, and patient information. RansomHub claims that it is in possession of vast amounts of financial, medical, and personal information and gave Change Healthcare and UnitedHealth Group five days to negotiate payment or the data would be sold.
$22 million has already been paid which has amounted to nothing, and there is a considerable risk that making any further payment would also not result in the data being deleted. In case Change Healthcare decides not to pay, RansomHub has offered Change Healthcare’s clients the opportunity to pay a ransom to prevent the release or sale of their data. RansomHub claims that it is about to sell the data of MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust, all of whom have been given the opportunity to pay to prevent their data from being sold. At this stage, it is unclear whether Change Healthcare or those clients will choose to pay up.