Change Healthcare finds itself embroiled in a fresh cybersecurity ordeal as a ransomware syndicate begins peddling what it purports to be sensitive medical and financial records belonging to Americans, allegedly stolen from the healthcare giant.
This major breach and trafficking of confidential healthcare data follows the February cyber attack on Change Healthcare. The attack disrupted the company’s claims-payment system, causing widespread problems across the US healthcare sector as hospitals faced operational and financial challenges.
In a statement obtained by WIRED, RansomHub, the group claiming responsibility for the most recent attack, ominously declared, "For those in the US questioning our authenticity, chances are, we possess your personal information."
RansomHub shared samples of the stolen data, including lists of pending claims from Change Healthcare's EquiClaim subsidiary, a medical record of a 74-year-old woman in Tampa, Florida, and parts of a database related to US military healthcare.
The stolen data reportedly includes medical and dental records, payment claims, insurance details, and personal identifiers like Social Security numbers and email addresses. RansomHub also claimed to have healthcare data on active-duty US military personnel.
Change Healthcare, under UnitedHealth Group, previously confirmed a data breach by a ransomware group named BlackCat or AlphV. The company told WIRED it is investigating claims about the stolen data made by RansomHub. However, it has not addressed allegations about the data being sold.
The array of patient data purportedly up for sale underscores Change Healthcare's pivotal role as a conduit between insurers and healthcare providers. It facilitates financial transactions while accumulating vast troves of sensitive patient information.
RansomHub has given a stark warning: insurance companies affected by the breach must pay a ransom, or their records will be sold. The group has specifically threatened to sell data from MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.
Most companies implicated in RansomHub's data possession claims have yet to respond to WIRED's inquiries.
Mike DeAngelis, CVS Health's executive director of corporate communications, acknowledges the claims made by threat actors but emphasizes that Change Healthcare has not verified the incident’s impact on patient data.
A threat analyst at Emsisoft, a security software company, suggests that the apparent sale of stolen data is less about actual transactions and more about exerting pressure on Change Healthcare and its affiliates to pay up.
Two months after the ransomware attack, Change Healthcare has incurred financial losses of $872 million as of March 31.
Simultaneously, the company faces mounting scrutiny from legislators and regulators seeking explanations for its cybersecurity breach and assurances regarding future safeguards.
A House Energy and Commerce Committee subcommittee held a hearing on cyber resilience in the healthcare sector. Lawmakers were disappointed by UnitedHealth Group's refusal to provide executive testimony. Meanwhile, the Department of Health and Human Services is investigating if Change Healthcare's security failure violated federal data security laws.