In February, an extortion organization released a portion of what it claims is private and sensitive patient information for millions of Americans seized during the ransomware assault on Change Healthcare.
On Monday, a new ransomware and extortion group known as RansomHub uploaded many files on their dark web leak site, including personal information on patients from various documents such as billing files, insurance data, and medical information.
Some of the papers that Eltrys has seen include contracts and agreements between Change Healthcare and its partners.
RansomHub has promised to sell the data to the highest bidder until Change Healthcare pays the ransom.
This is the first time hackers have publicly revealed that they have medical and patient information from the breach.
Change Healthcare has an additional complication: this is the second gang to seek a ransom payment to prevent the dissemination of stolen patient data in as many months.
UnitedHealth Group, the parent firm of Change Healthcare, said that there was no indication of a new cyber attack. “We are collaborating with law enforcement and independent specialists to examine internet accusations and determine the scope of possibly compromised data. “Our investigation is still active and ongoing,” said Tyler Mason, a representative for UnitedHealth Group.
More likely, a conflict between members and associates of the ransomware group left the stolen data in limbo, leaving Change Healthcare vulnerable to future extortion.
ALPHV, a Russia-based ransomware organization, claimed responsibility for the Change Healthcare data heist. Then, in early March, ALPHV vanished, along with a $22 million ransom payment that Change Healthcare reportedly made to avoid the public publication of patient data.
An ALPHV affiliate—eessentially a contractor who earns a commission on cyberattacks launched using the gang’s malware—wwent public, claiming to have carried out the data theft at Change Healthcare but that the main ALPHV/BlackCat crew stiffed them out of their share of the ransom payment and fled with it. The contractor said that millions of patients’ data was “still with us.”
Now, RansomHub claims that “we have the data and not ALPHV.” The publication Wired, which first exposed the second group’s extortion attempt on Friday, cited RansomHub’s claim that it was associated with the affiliate that still possessed the data.
UnitedHealth has not disclosed whether it paid the hackers’ ransom or the amount of data stolen in the breach.
The healthcare giant announced in a statement on March 27 that it got a dataset “safe for us to access and analyze,” which the business obtained in return for the ransom money, according to a person familiar with the continuing crisis. It said that it was “prioritizing the review of data that we believe would likely have health information, personally identifiable information, claims, eligibility information, or financial information.”
