Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans’ sensitive medical and financial records stolen from the health care giant.
“For most US individuals out there doubting us, we probably have your personal data,” the RansomHub gang said in an announcement seen by WIRED.
The stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses, according to screenshots. RansomHub claimed it had health care data on active-duty US military personnel.
The broad scale theft and commercialization of private health care data is a severe repercussion of the cyberattack on Change Healthcare in February. The impact was immense as the cyberattack brought the company’s claim payment services to a halt, causing a crisis in the US health care system. The situation was dire as hospitals struggled to maintain operations without regular funding.
Change Healthcare, a branch of UnitedHealth Group, formerly admitted that the systems were breached by a ransomware organization known as BlackCat or AlphV. Last week, in a conversation with WIRED, they mentioned they are looking into RansomHub’s accusations of having access to the company’s stolen data. The company has yet to comment on the alleged sale of its data by the group.
The sundry patient data that RansomHub alleges to sell reflects the crucial role of Change Healthcare as an intermediary between insurers and healthcare providers. They facilitate transactions between the two parties and, in the process, assemble stacks of patient-related data and their medical procedures.
RansomHub released some sample records which included a list of open claims managed by EquiClaim, a subsidiary of the company. This comprised of patient and provider names; a health record for a 74-year-old woman from Tampa, Florida, and a fragment of a database record related to US military service members’ health care.
RansomHub stated it would allow specific insurance companies that collaborated with Change Healthcare and had their data breached to pay ransoms to halt the sale of their records. They highlighted that they were selling data from MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.
The processing of sensitive data for all these companies by Change Healthcare is simply unbelievable, according to RansomHub’s statement.
Many of the firms whose data RansomHub claims to have did not immediately reply to WIRED’s comment request.
Mike DeAngelis, the Executive Director of Corporate Communications for CVS Health, indicates that the company is aware of unproven allegations from threat actors that confidential data, encompassing patient and member personal information from different organizations, was accessed during Change Healthcare’s cybersecurity incident.
“We are closely monitoring Change Healthcare’s response to this issue and will provide updates with more information as appropriate,” DeAngelis adds, noting that Change Healthcare has not yet confirmed that patient data “was impacted by this incident.”
Brett Callow, a threat analyst at the security firm Emsisoft who closely tracks ransomware gangs, says the new sale of stolen data was probably “less about actually selling the data” and more about putting Change Healthcare—and the partner companies whose records it failed to protect—“under additional pressure to pay.”
Change Healthcare appears to have paid a $22 million ransom to AlphV to stop it from leaking terabytes of stolen data.
Two months into the crisis spawned by the ransomware attack, Change Healthcare has faced mounting losses. The company recently reported spending $872 million responding to the incident as of March 31.
At the same time, Change is under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it’s taking to prevent another hack.
A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector’s cyber posture on Tuesday, with key lawmakers saying they were disappointed that UnitedHealth Group declined to make an executive available to testify. And the Department of Health and Human Services is investigating whether Change Healthcare’s failure to prevent hackers from accessing and stealing its data violated federal data-security rules.
Updated 4/16/2024, 5:38 pm ET: Added additional details about the firms whose data RansomHub claims to possess.
Charlie Wood
Eric Ravenscraft
Caitlin Kelly
Justin Pot