Ransomware gang starts leaking alleged stolen Change Healthcare data

The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company.

In February, Change Healthcare suffered a cyberattack that caused massive disruption to the US healthcare system, preventing pharmacies and doctors from billing or sending claims to insurance companies.

The attack was ultimately linked to the BlackCat/ALPHV ransomware operation, who later said they stole 6 TB of data during the attack.

After facing increased pressure from law enforcement, the BlackCat gang shut down their operation. This occurred amid claims they were pulling an exit scam by stealing a $22 million Change Healthcare ransom payment from the affiliate who conducted the attack.

While Change Healthcare has declined to comment on whether it has paid a ransom, the affiliate known as "Notchy" said they would extort Change Healthcare again as they still had the company's data.

A true double-extortion

After BlackCat shut down, the affiliate, Notchy, partnered with the RansomHub ransomware gang to extort Change Healthcare once again, even though the company allegedly already paid a ransom.

The threat actor issued a statement on the RansomHub data leak site saying that all the data would be released if Change Healthcare and United Health did not "reach a deal" with them.

Today, a week later, the threat actors have begun to leak screenshots of files they claim were stolen from Change Healthcare during the February ransomware attack.

The screenshots include data-sharing agreements between Change Healthcare and insurance providers, including CVS Caremark, Health Net, and Loomis. Other documents contain accounting data, including aging reports, insurance payment reports, and other financial information.

However, what is most concerning is that the leaked data also contains patient information, including amounts owed and bills for patient care services rendered.

The threat actors now say that Change Healthcare has five days to pay an extortion demand, or the threat actors will sell the data to the highest bidder.

While BleepingComputer cannot verify whether the leaked data was stolen from Change Healthcare, it does appear to belong to the company.

BleepingComputer contacted the company with questions about the leak but a reply was not immediately available.