An extortion group has released a portion of what it says are the private and sensitive patient records for millions of Americans that were stolen during the Change Healthcare ransomware attack in February.
On Monday, a new ransomware and extortion gang calling itself RansomHub posted several files on the dark web leak that contain personal information about patients in different documents, including billing records, insurance records and medical information.
Some of the files, seen by TechCrunch, also contain contracts and agreements between Change Healthcare and its partners.
RansomHub threatened to sell the data to the highest bidder unless Change Healthcare paid a ransom.
It is the first time cybercriminals have released evidence that they are in possession of medical and patient records from the cyber attack.
For Change Healthcare, there’s another complication: This is the second group to demand a ransom payment to prevent the release of stolen patient data in as many months.
UnitedHealth Group, the parent company of Change Healthcare, said there was no evidence of a new cyber incident. “We are working with law enforcement and external experts to investigate claims posted online to understand the extent of potentially affected data. Our investigation remains active and ongoing,” said Tyler Mason, a spokesman for UnitedHealth Group.
More likely, a dispute between members and affiliates of the ransomware gang left the stolen data in limbo and Change Healthcare exposed to further extortion.
A Russian-based ransomware gang called ALPHV claimed credit for stealing Change Healthcare data. Then, in early March, ALPHV suddenly disappeared along with a $22 million ransom payment allegedly paid by Change Healthcare to prevent patient data from being publicly released.
An ALPHV associate – essentially a contractor who earns a commission for the cyberattacks they launch using the gang’s malware – has gone public claiming that he carried out the data theft at Change Healthcare, but that the main ALPHV/BlackCat crew kicked them out of their department. the payment of the ransom and disappeared with the lot. The contractor said the millions of patients’ data was “still with us”.
Now, RansomHub says “we have the data, not ALPHV”. Wired, which first reported the extortion of the second group attempt on Friday, RansomHub reported that it connected to the affiliate that still had the data.
UnitedHealth previously declined to say whether it paid the hackers’ ransom, nor did it say how much data was stolen in the cyberattack.
The healthcare giant said in a statement on March 27 that it received a set of data “safe for us to access and analyze,” which the company received in exchange for paying a ransom, TechCrunch learned from a source with knowledge of the ongoing incident . UHG said it was “prioritizing the review of data that we believe will likely have health information, personally identifiable information, claims and eligibility or financial information.”
