An extortion group has released some of what it claims are the personal and confidential patient records of millions of Americans stolen during a ransomware attack on Change Healthcare in February.
On Monday, a new ransomware and extortion gang calling itself RansomHub published multiple files on a dark web leak site containing patients' personal information across a variety of documents, including billing files, insurance records, and medical information.
Some of the files seen by TechCrunch include contracts and agreements between Change Healthcare and its partners.
RansomHub threatened to sell the data to the highest bidder unless Change Healthcare paid the ransom.
This is the first time that cybercriminals have publicly disclosed evidence of their possession of medical and patient records resulting from a cyberattack.
Change Healthcare has other complications. This is his second group in the coming months to demand a ransom payment to prevent the release of stolen patient data.
Change Healthcare's parent company, UnitedHealth Group, said there was no evidence of a new cyber incident. “We are working with law enforcement and outside experts to investigate claims posted online and understand the scope of data that may be affected. Our investigation remains active. It's ongoing,” said UnitedHealth Group spokesperson Tyler Mason.
More likely, a dispute between ransomware gang members and affiliated companies could have left the stolen data in limbo, exposing Change Healthcare to further extortion.
A Russia-based ransomware gang called ALPHV was blamed for the Change Healthcare data theft. Then, in early March, ALPHV suddenly disappeared with a $22 million ransom allegedly paid by Change Healthcare to prevent the release of patient data.
Affiliates of ALPHV (essentially contractors who earn fees from cyberattacks using the gang's malware) claimed to have carried out the data theft at Change Healthcare, but key ALPHV/BlackCat crew members He publicly announced that he had shut down the part he was in charge of. He paid the ransom and disappeared with Lot. The contractor said millions of patient data “are still with us.”
Currently, RansomHub says, “We have the data, ALPHV does not.” Wired, which first reported on the second group's extortion efforts on Friday, quoted the ransom hub as saying it was connected to an affiliated company that still held the data.
UnitedHealth has so far declined to say whether it paid a ransom to the hackers or disclosed how much data was stolen in the cyberattack.
In a March 27 statement, the healthcare giant said in a statement on March 27 that it obtained datasets that could be “securely accessed and analyzed” in exchange for a ransom payment, according to a source familiar with the ongoing incident and obtained by TechCrunch. Stated. UHG said it is “prioritizing the review of data that is likely to include health information, personally identifiable information, insurance claims and eligibility, and financial information.”