The ransomware group that claims to be in possession of data stolen from Change Healthcare in February has begun leaking it online.

On April 15, 2024, the RansomHub group posted a selection of screenshots on its dark web data leak site, along with a message:

Before our final reveal, below you will find attached screenshots of just a mere sample of data we have.

It is just unbelievable the amount and sensitivity of data that Change Healthcare was in possession of.

Below evidence shows a sample of data for major insurance providers including Metlife, CVS Caremark, Tricare, Medicare, and others.

The screenshots, which we have seen but not verified as authentic, show a selection of data relating to insurance providers, such as partner agreements, and details of changes, payments, and invoices.

RansomHub claims that it has 4 TB of “highly selective data”, which includes medical records, dental records, payments information, claims information, PII belonging to patients and US military personnel, and insurance records.

The group is threatening to release the rest of the data stolen from Change Healthcare in a little under two days’ time, if it doesn’t receive a ransom.

Ransomware groups are always looking for ways to increase their leverage over their victims, and in this case RansomHub has made special mention of the insurers involved, name checking Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, Health Net, MetLife, and Teachers Health Trust. Presumably, it’s hoping that the insurers will apply pressure on Change Healthcare to pay up and keep their and their customers’ data under wraps.

This eleventh hour escalation suggests that Change Healthcare isn’t playing ball. That’s no surprise, the company has been put through the wringer since late February as it became an unwitting participant in a spat between criminal groups.

Change Healthcare is one of the largest healthcare technology companies in the USA, responsible for the flow of payments between payers, providers, and patients. It was attacked on Wednesday February 21, 2024, by a criminal “affiliate” working with the ALPHV ransomware group, which led to huge disruptions in healthcare payments.

On March 3, a user on the RAMP dark web forum claimed they were the affiliate behind the attack, and that ALPHV had stolen the entirety of a $22 million ransom paid by Change Healthcare. Shortly after, the ALPHV group disappeared in an unconvincing exit scam designed to make it look as if the group’s website had been seized by the FBI.

A month later, a newcomer ransomware group, RansomHub listed Change Healthcare as a victim on its website, and claimed:

ALPHV stole the ransom payment (22 Million USD) that Change Healthcare and United Health payed in order to restore their systems and prevent the data leak.

HOWEVER we have the data and not ALPHV.

Quite how the data made it from ALPHV to RansomHub isn’t known, but the most likely route is that the disgruntled ALPHV affiliate simply found a new partner to work with in newcomer RansomHub.

If Change Healthcare holds its nerve and doesn’t pay a ransom then a very sizeable dump of very sensitive data is likely to arrive on the dark web by the weekend, which could be a bonanza for scammers and identity thieves. People likely to be affected by the breach can help protect themselves with Identity Theft Protection.

Organisations looking to avoid becoming the next Change Healthcare are advised to revisit their preparations for a ransomware attack.