Realize your Healthcare’s Digital Transformation journey with ScaleHealthTech Learn More

Change Healthcare Hit by 2nd Ransomware Attack Weeks After Restoring Systems

April 10, 2024

RansomHub, claims that it is them, not BlackCat/ALPHV who are in possession of the stolen data from Change Healthcare.

Just a month after a ransomware attack on Change Healthcare, the US healthtech giant has reportedly found itself embroiled in another ransomware attack.

According to new reports, the company is being extorted by another ransomware gang called ‘RansomHub’.

This ransomware gang is reportedly in possession of stolen Change Healthcare data and has demanded ransom in 12 days failing which, it has warned that the data will be sold to the highest bidder.

However, the validity of the lesser-known threat group’s claims remains unclear.

Last month, multiple reports suggested that a ransom of $22 million was paid to the hacker’s group BlackCat after the group claimed responsibility for the Change Healthcare cyberattack.

Reportedly, the payment was made in cryptocurrency in exchange for regaining access to its systems and data.

However, Change Healthcare neither confirmed nor denied the claims.

RansomHub Claims ALHPV Stole Data

RansomHub, claims that it is not BlackCat/ALPHV but them who have the stolen data from Change Healthcare.

It further says that ALHPV stole the $22 million ransomware payment from RansomHub actors, allegedly paid by UnitedHealth Group to retrieve its data.

The cybercriminal group says it maintains 4 TB of the company's data including personally identifiable information (PII) belonging to active US military personnel and other patients, medical records, payment information, and more.

Moreover, it has said that the data has not been shared or leaked by them but in case Change Healthcare doesn’t pay the ransom, the data will be put up for sale to the highest bidder.

Security researchers are now floating theories about the latest ransom attack on a healthcare company.

BlackCat reportedly pulled what is called a ‘exit scam’ after receiving payment for the stolen data. Generally, the payment is split 80:20, wherein the ransomware gang keeps 20% of the payment and 80% is distributed to affiliates.

However, BlackCat shut its website post payment receipt indicating implosion within the gang. This left many affiliates disgruntled who allegedly never received their share of the ransom payment.

According to the theory, they are now moving to RansomHub to try to obtain the payment with whatever data they’ve retained from the Change Healthcare attack.

Another theory suggests that BlackCat/ALHPV could have rebranded themselves.

In any case, Change Healthcare seems to have found itself in rivalry with the two cybercriminal gangs with massive patient data being compromised.

Change Healthcare, which started restoring its system post the attack that crippled, the entire healthcare system of the US is yet to comment on the latest threat.

To Recap: The Change Healthcare Attack

Change Healthcare, a healthcare billing and data systems provider owned by UnitedHealth Group has experienced a cyberattack that caused network disruption and likely resulted in a data breach.

The attack was initially suspected to be the work of a nation-state-associated actor, but it was later found to be conducted by the financially motivated cybercriminal group ALPHV/Blackcat.

The group claimed to have stolen 6TB of data from UnitedHealth, including highly selective data from all Change Healthcare clients, including Medicare, CVS Caremark, Health Net, and Tricare, the US military medical health agency.

The attack impacted services provided by Change Healthcare, including prescription processing services through Optum, which serves over 67,000 U.S. pharmacies and 129 million patients.

The incident caused enterprise-wide connectivity issues and disrupted services for major pharmacy chains.

UnitedHealth Group vouched that it advanced nearly $4.7B to providers in need and will continue to financially support providers through full system recovery.

In March, pharmacy services, including electronic prescribing and claim submissions, were fully restored.

It also restored Amazon's cloud services from backups after clearance by cybersecurity partners.

Assurance, medical claims, remittance management software, and Relay Exchange, a clearinghouse for validation of insurance claims, were among the services restored.