Download Our DHN Survey Result 2024
Realize your Healthcare’s Digital Transformation journey with ScaleHealthTech Learn More

Change Healthcare Hit by 2nd Ransomware Attack Weeks After Restoring Systems

Written by : Arti Ghargi

April 10, 2024

Category Img

RansomHub, claims that it is them, not BlackCat/ALPHV who are in possession of the stolen data from Change Healthcare.

Just a month after a ransomware attack on Change Healthcare, the US healthtech giant has reportedly found itself embroiled in another ransomware attack.

According to new reports, the company is being extorted by another ransomware gang called ‘RansomHub’.

This ransomware gang is reportedly in possession of stolen Change Healthcare data and has demanded ransom in 12 days failing which, it has warned that the data will be sold to the highest bidder.

However, the validity of the lesser-known threat group’s claims remains unclear.

Last month, multiple reports suggested that a ransom of $22 million was paid to the hacker’s group BlackCat after the group claimed responsibility for the Change Healthcare cyberattack.

Reportedly, the payment was made in cryptocurrency in exchange for regaining access to its systems and data.

However, Change Healthcare neither confirmed nor denied the claims.

RansomHub Claims ALHPV Stole Data

RansomHub, claims that it is not BlackCat/ALPHV but them who have the stolen data from Change Healthcare.

It further says that ALHPV stole the $22 million ransomware payment from RansomHub actors, allegedly paid by UnitedHealth Group to retrieve its data.

The cybercriminal group says it maintains 4 TB of the company's data including personally identifiable information (PII) belonging to active US military personnel and other patients, medical records, payment information, and more.

Moreover, it has said that the data has not been shared or leaked by them but in case Change Healthcare doesn’t pay the ransom, the data will be put up for sale to the highest bidder.

Security researchers are now floating theories about the latest ransom attack on a healthcare company.

BlackCat reportedly pulled what is called a ‘exit scam’ after receiving payment for the stolen data. Generally, the payment is split 80:20, wherein the ransomware gang keeps 20% of the payment and 80% is distributed to affiliates.

However, BlackCat shut its website post payment receipt indicating implosion within the gang. This left many affiliates disgruntled who allegedly never received their share of the ransom payment.

According to the theory, they are now moving to RansomHub to try to obtain the payment with whatever data they’ve retained from the Change Healthcare attack.

Another theory suggests that BlackCat/ALHPV could have rebranded themselves.

In any case, Change Healthcare seems to have found itself in rivalry with the two cybercriminal gangs with massive patient data being compromised.

Change Healthcare, which started restoring its system post the attack that crippled, the entire healthcare system of the US is yet to comment on the latest threat.

To Recap: The Change Healthcare Attack

Change Healthcare, a healthcare billing and data systems provider owned by UnitedHealth Group has experienced a cyberattack that caused network disruption and likely resulted in a data breach.

The attack was initially suspected to be the work of a nation-state-associated actor, but it was later found to be conducted by the financially motivated cybercriminal group ALPHV/Blackcat.

The group claimed to have stolen 6TB of data from UnitedHealth, including highly selective data from all Change Healthcare clients, including Medicare, CVS Caremark, Health Net, and Tricare, the US military medical health agency.

The attack impacted services provided by Change Healthcare, including prescription processing services through Optum, which serves over 67,000 U.S. pharmacies and 129 million patients.

The incident caused enterprise-wide connectivity issues and disrupted services for major pharmacy chains.

UnitedHealth Group vouched that it advanced nearly $4.7B to providers in need and will continue to financially support providers through full system recovery.

In March, pharmacy services, including electronic prescribing and claim submissions, were fully restored.

It also restored Amazon's cloud services from backups after clearance by cybersecurity partners.

Assurance, medical claims, remittance management software, and Relay Exchange, a clearinghouse for validation of insurance claims, were among the services restored.

About Chime India

The College of Healthcare Information Management Executives (CHIME) is an executive organization dedicated to serving senior digital health leaders. CHIME includes more than 5,000 members in 56 countries and two US territories and partners with over 150 healthcare IT businesses and professional services firms. CHIME enables its members and business partners to collaborate, exchange ideas, develop professionally and advocate the effective use of information management to improve the health and care throughout the communities they serve. CHIME's members are chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs), chief innovation officers (CIOs), chief digital officers (CDOs), and other senior healthcare leaders. The CHIME India Chapter became the first international chapter outside North America in 2016 and is now a community of over 70+ members in India. For more information, please visit


Digital Health News ( DHN) is India’s first dedicated digital health news platform launched by Industry recognized HealthTech Leaders. DHN Is Industry’s Leading Source Of HealthTech Business, Insights, Trends And Policy News.

DHN Provides In-Depth Data Analysis And Covers Most Impactful News As They Happen Across Entire Ecosystem Including Emerging Technology Trends And Innovations, Digital Health Startups, Hospitals, Health Insurance, Govt. Agencies & Policies, Pharmaceuticals And Biotech.


© Digital Health News 2024