Change Healthcare data for sale on dark web as fallout from ransomware attack spirals out of control


April 18, 2024

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Change Healthcare data for sale on dark web as fallout from ransomware attack spirals out of control

February's crippling ransomware attack against Change Healthcare, which saw prescription orders delayed across the United States, continues to have serious consequences.

The cybercriminal group RansomHub published a portion of what it claims to be the many millions of patient records it stole in the attack on the dark web, including medical information, insurance records, and billing details.

RansomHub claims 4TB of stolen data are up for sale to the highest bidder unless Change Healthcare pays a ransom.  The haul is said to also contain contracts and legal agreements between Change Healthcare and its business partners.

What makes the situation rather more complex is that RansomHub is not the first cybercriminal group to claim responsibility for the highly disruptive Change Healthcare hack.

The ransomware attack was initially attributed to the BlackCat ransomware gang (also known as ALPHV). Indeed, it was reported that BlackCat/ALPHV had received a cryptocurrency payment equivalent to US $22 million in early March in what was widely assumed to be a ransom payment.

If that's accurate, why would a different cybercrime gang now appear to be demanding a ransom payment from Change Healthcare? Is this a separate data breach, or two different groups attempting to extort money for the same theft?

What is possible is that the security breach is being linked to two different groups because affiliates and members of a ransomware gang have fallen out with each other and squabbled about how best to divide the proceeds.

For its part, RansomHub told Wired that it was not affiliated with the BlackCat/ALPHV group and declined to disclose the ransom amount demanded from Change Healthcare.

Whatever the reality is of who stole what, and how much ransom they may have demanded, the sale of the exfiltrated data raises the stakes dramatically for both patients and the industry as a whole.

Patients now find themselves at increased risk of identity theft and financial fraud, as well as potentially discrimination based upon their leaked medical information.  Meanwhile, insurers fear they may see a significant surge in fraudulent claims which - in turn - could drive up costs for consumers.

None of which is good news, and raises an interesting question - how will Change Healthcare respond to the latest ransom demand?

Change Healthcare's parent company, UnitedHealth Group, says that it continues to "make progress in mitigating the impact" of February's cyber attack.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like