Change Healthcare's New Ransomware Nightmare Goes From Bad to Worse

Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans' sensitive medical and financial records stolen from the health care giant.
RansomHub claimed it had health care data on active-duty US military personnel.
The sprawling theft and sale of sensitive health care data represents a dramatic new form of fallout from the February cyberattack on Change Healthcare that crippled the company's claims-payment operations and sent the US health care system into crisis as hospitals struggled to stay open without regular funding.
Change Healthcare, a subsidiary of UnitedHealth Group, previously acknowledged that a ransomware gang known as BlackCat or AlphV breached its systems, and told WIRED last week that it is investigating RansomHub's claims about possessing the company's stolen data.
Change Healthcare did not immediately respond to a request for comment about the group's alleged sale of its data.
The wide variety of patient data that RansomHub claims to be selling is a testament to Change Healthcare's role as a critical intermediary between insurers and health care providers, facilitating payments between both parties and collecting reams of sensitive information about patients and their medical procedures in the process.
Among the sample records that RansomHub posted are a list of open claims handled by the company's EquiClaim subsidiary that includes patient and provider names; a hospital record for a 74-year-old woman in Tampa, Florida; and part of a database record related to US military service members' health care.
RansomHub said it would allow individual insurance companies that worked with Change Healthcare and had their data compromised to pay ransoms to prevent the sale of their records.
It specified that it was selling data belonging to MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.
Most firms whose data RansomHub claims to possess did not immediately respond to WIRED's request for comment.
Change Healthcare appears to have paid a $22 million ransom to AlphV to stop it from leaking terabytes of stolen data.
Two months into the crisis spawned by the ransomware attack, Change Healthcare has faced mounting losses.
The company recently reported spending $872 million responding to the incident as of March 31.
At the same time, Change is under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it's taking to prevent another hack.
A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector's cyber posture on Tuesday, with key lawmakers saying they were disappointed that UnitedHealth Group declined to make an executive available to testify.
The Department of Health and Human Services is investigating whether Change Healthcare's failure to prevent hackers from accessing and stealing its data violated federal data-security rules.
Updated 4/16/2024, 5:38 pm ET: Added additional details about the firms whose data RansomHub claims to possess.


This Cyber News was published on www.wired.com. Publication date: Tue, 16 Apr 2024 19:58:03 +0000


Cyber News related to Change Healthcare's New Ransomware Nightmare Goes From Bad to Worse