Change Healthcare leak countdown begins as RansomHub releases sample data

Change Healthcare reveals data stolen in ALPHV/RansomHub cyberattack

The Change Healthcare data breach finally began after the RansomHub threat group posted a sample of the supposedly stolen data and started a countdown to the full release.

To put it in context, Change Healthcare, a subsidiary of major US healthcare organization UnitedHealth, was hacked in February. The company originally blamed state-sponsored hackers before ALPHV took credit for the attack.

ALPHV received a $22 million ransom, which it then pocketed without paying the affiliate behind the attack, claiming it had been eliminated by the FBI as an exit strategy. Despite the annoying back-and-forth, the affiliate, Notchy, was never paid and therefore Change Healthcare’s systems were not restored and the stolen data was not deleted.

RansomHub then claimed to have Change Healthcare’s data and demanded that the organization pay them a ransom.

Now, the group is threatening to allegedly release four terabytes of exfiltrated data in less than five days at the time of writing and has released an extensive sample of the data to prove its legitimacy.

“Before our final reveal, below you will find attached screenshots of just a sample of the data we have,” RansomHub said.

“It is simply incredible the amount and sensitivity of data that Change Healthcare possessed.

“The evidence below shows a sample of data from major insurance providers, including Metlife, CVS Caremark, Tricare, Medicare and others.”

The threat group’s message appears to cater to other threat actors, urging the sensitivity and value of stored data, likely in an attempt to mock and scare UnitedHealth into paying.

“If Change Healthcare/United Health doesn’t care about your data, maybe it should…” the group added.

“Since the data is extremely large and analyzing it is very time-consuming, according to our initial analysis, the data combines all the different clients into a single process.

“Which means you can find PII/PHI from multiple insurance providers in a single processing file (i.e. CVS/Metlife/Medicare, etc.).

“The more we analyze the data, the more we are surprised by the amount of financial, medical and personal information we found and it will be more devastating than the first attack itself.”

Sample data includes data exchange and business associate agreements, medical claims data, patient names, treatment locations, dates of birth, gender, medical record numbers (MRN), reference numbers, home telephone numbers, and mobile, payer contracts and more.

“There are five days left on the clock. The devastating effect can still be mitigated. Insurance providers should be really worried as this will affect them and their customers beyond measure,” RansomHub said.

In its earlier statement, RansomHub said the data includes information about Change Healthcare partners and customers from Medicare, Tricare, CVS Caremark, Loomis, Davis Vision, Health Net, MetLife, Teachers Health Trust and dozens of insurance companies and others.

It also said other data includes personally identifiable information (PII) of US military and naval personnel, dental records, mental records, payment information, patient PII and more than 3,000 source code files for Change Health Solutions.

If Change Healthcare does not pay the ransom, RansomHub has said the data will be put up for sale “to the highest bidder.”

Leave a Reply

Your email address will not be published. Required fields are marked *