More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin’s blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers’ sensitive medical data.
In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” the statement reads. The company’s belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would “cover a substantial proportion of people in America.”
Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV’s allegedly jilted partners complained that they hadn’t received their cut of Change Healthcare’s payment. However, for weeks following that transaction, which was publicly visible on Bitcoin’s blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.
Change Healthcare’s confirmation of that extortion payment puts new weight behind the cybersecurity industry’s fears that the attack—and the profit AlphV extracted from it—will lead ransomware gangs to further target health care companies. “It 100 percent encourages other actors to target health care organizations,” Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. “And it’s one of the industries we don’t want ransomware actors to target—especially when it affects hospitals.”
Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare’s stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare’s network, including patient records and a contract with another health care company.
As of Monday, strangely, the listing for that data on RansomHub’s dark-web site had been taken down. Change Healthcare’s post to its website, however, warns that 22 screenshots of its data had been posted to the dark web by an unnamed hacker group, and that they included “protected health information (PHI) or personally identifiable information (PII),” though it said it hadn’t seen any sign that medical records like doctor’s charts or full medical histories for any patients were among the stolen data.
Jason Parham
Matt Burgess
Simon Hill
Nena Farrell
For Change Healthcare and the beleaguered medical practices, hospitals, and patients that depend on it, the confirmation of its extortion payment to the hackers adds a bitter coda to an already dystopian story. AlphV’s digital paralysis of Change Healthcare, a subsidiary of UnitedHealth Group, snarled the insurance approval of prescriptions and medical procedures for hundreds of medical practices and hospitals across the country, making it by some measures the most widespread medical ransomware disruption ever. A survey of American Medical Association members conducted between March 26 and April 3 found that four out of five clinicians had lost revenue as a result of the crisis. Many said they were using their own personal finances to cover a practice’s expenses. Change Healthcare, meanwhile, says it has lost $872 million to the incident and projects that number to rise well over a billion in the longer term.
Change Healthcare confirmed it paid a ransom, revealing that significant fallout for the US healthcare system occurred after it handed over a hefty sum to the hackers. The payment was for a decryption key to recover their encrypted systems and an assurance that the stolen data wouldn’t be leaked. However, due to the widespread disruption caused by the AlphV ransomware attack, the recovery process, even with the decryption key, is still ongoing.
Ransomware payments can vary, with $22 million not being the highest recorded. Brett Callow, a security researcher specializing in ransomware, informs that only a handful of payments, such as the $40 million adopted by CNA Financial in 2021, surpass this figure. He comments that the $22 million payment is unusual but not unprecedented.
The inflow of $22 million into the ransomware ecosystem continues a vicious cycle that has escalated to epidemic levels. Interestingly, Chainalysis, a cryptocurrency tracing firm, reported that ransomware victims expended a total of $1.1 billion in 2023, a new record. Although Change Healthcare’s payment is only a small portion of this total, it not only profits AlphV for its damaging attacks but also signals to other ransomware groups that healthcare companies are particularly lucrative targets. These companies are extremely vulnerable due to the high financial costs of cyberattacks and potential risks to patient health.
Adding to Change Healthcare’s predicament is an apparent treachery within the ransomware community. After receiving Change Healthcare’s payment, AlphV reportedly staged its own law enforcement takedown, presumably to avoid sharing the profits with its affiliates – hackers who collaborate with the group to breach victim systems. RansomHub, a second ransomware group posing a threat to Change Healthcare, claims to WIRED that they have acquired the stolen data from those unpaid affiliates.
That has created a situation where Change Healthcare’s payment provides little assurance that its compromised data won’t still be exploited by disgruntled hackers. “These affiliates work for multiple groups. They’re concerned with getting paid themselves, and there’s no trust among thieves,” Analyst1’s DiMaggio told WIRED in March. “If someone screws someone else, you don’t know what they’re going to do with the data.”
All of that means Change Healthcare still has little assurance that it has avoided an even worse scenario than it has yet faced: paying what may be one of the biggest ransoms in history and still seeing its data spilled onto the dark web. “If it gets leaked after they paid $22 million, it’s pretty much like setting that money on fire,” DiMaggio warned in March. “They’d have burned that money for nothing.”
