Share this article on:
The leak of Change Healthcare data has, at long last, begun after the RansomHub threat group posted a sample of the allegedly stolen data and initiated a countdown for the full release.
For context, Change Healthcare, a subsidiary of major US healthcare organisation UnitedHealth, was hacked in February. The company originally blamed state-sponsored hackers before ALPHV took credit for the attack.
ALPHV was paid a ransom of US$22 million, which it then pocketed without paying the affiliate behind the attack, claiming it had been taken down by the FBI as an exit strategy. Despite an angry back and forth, the affiliate, Notchy, was never paid, and thus Change Healthcare’s systems were not restored, and stolen data was not deleted.
RansomHub then claimed to have the Change Healthcare data and demanded that the organisation pay them a ransom.
Now, the group is threatening to release an alleged four terabytes of exfiltrated data in under five days at the time of writing and has posted a lengthy sample of the data to prove legitimacy.
“Before our final reveal, below you will find attached screenshots of just a mere sample of data we have,” said RansomHub.
“It is just unbelievable the amount and sensitivity of data that Change Healthcare was in possession of.
“Below evidence shows a sample of data for major insurance providers including Metlife, CVS Caremark, Tricare, Medicare, and others.”
The threat group’s message appears to cater to other threat actors, urging the sensitivity and value of the stored data, likely in an attempt to taunt and scare UnitedHealth into paying up.
“If Change Healthcare / United Health don’t care about your data, maybe you should ...,” the group added.
“Given that the data is extremely huge and analyzing the data needs a lot of time, based on our initial analysis the data combines all the different clients in a single process.
“Meaning you could find PII/PHI for several insurance providers in a single processing file (i.e CVS / Metlife / Medicare etc).
“The more we go through the data the more we are shocked of the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself.”
Sample data includes data sharing and trading partner agreements, medical claims data, patient names, places of treatment, birth dates, sex, medical record numbers (MRNs), referral numbers, home and mobile phone numbers, payer contracts and more.
“Five days remain on the clock. The devastating effect can be still mitigated. Insurance providers should be really concerned as this will impact them and their clients beyond measure,” RansomHub said.
In its previous statement, RansomHub said the data includes information on Change Healthcare partners and clients from Medicare, Tricare, CVS Caremark, Loomis, Davis Vision, Health Net, MetLife, Teachers Health Trust and tens of insurance companies and others.
It also said that other data includes the personally identifiable information (PII) of US military and navy personnel, dental records, mental records, payment information, patient PII, and over 3,000 source code files for Change Health Solutions.
If Change Healthcare does not pay a ransom, RansomHub has said that the data will be up for sale “to the highest bidder”.