top of page

RansomHub Begins Leaking Data in Continued Extortion of Change Healthcare

The RansomHub extortion gang has initiated the release of what they claim to be sensitive corporate and patient data stolen from United Health subsidiary Change Healthcare, escalating an already complex and drawn-out extortion saga. This action follows a disruptive cyberattack in February, which significantly hindered the U.S. healthcare system's ability to process billing and insurance claims.

Initially, the cyberattack was linked to the notorious BlackCat/ALPHV ransomware group, who later admitted to exfiltrating 6 terabytes of data during their operation. Despite the eventual shutdown of the BlackCat operation—amidst allegations of an exit scam involving a $22 million ransom payment from Change Healthcare—the troubles for the healthcare provider didn't end there.

Following BlackCat's closure, an affiliate of the group known as "Notchy" has joined forces with RansomHub to continue the extortion efforts against Change Healthcare. Despite claims of a prior ransom payment, Notchy and RansomHub have threatened further data leaks if their demands are not met.

Recently, RansomHub posted on their data leak site that unless Change Healthcare and United Health "reach a deal" with them, all stolen data would be published. True to their word, the group began leaking screenshots of stolen files this week, showcasing a variety of documents ranging from data-sharing agreements with major insurers like CVS Caremark and Health Net to detailed financial records such as aging reports and insurance payment reports.

Among the leaked documents, however, are files containing sensitive patient information, including billing details and amounts owed for patient care services. This leak not only highlights the severity of the data breach but also underscores the risks to patient privacy.

The extortionists have now set a five-day deadline for Change Healthcare to meet their ransom demands, threatening to sell the data to the highest bidder if the company fails to comply. This situation marks a concerning escalation in ransomware tactics, focusing on double extortion by threatening both data release and re-extortion even after initial ransom payments.

As the healthcare sector grapples with these cybersecurity challenges, the ongoing situation at Change Healthcare serves as a critical reminder of the importance of robust data protection strategies to safeguard sensitive information against such threats.


bottom of page