Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans’ sensitive medical and financial records stolen from the health care giant.
“For most US individuals out there doubting us, we probably have your personal data,” the RansomHub gang said in an announcement seen by WIRED.
The stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses, according to screenshots. RansomHub claimed it had health care data on active-duty US military personnel.
The sprawling theft and sale of sensitive health care data represents a dramatic new form of fallout from the February cyberattack on Change Healthcare that crippled the company’s claims-payment operations and sent the US health care system into crisis as hospitals struggled to stay open without regular funding.
Change Healthcare, a subsidiary of UnitedHealth Group, previously acknowledged that a ransomware gang known as BlackCat or AlphV breached its systems, and told WIRED last week that it is investigating RansomHub’s claims about possessing the company’s stolen data. Change Healthcare did not immediately respond to a request for comment about the group’s alleged sale of its data.
The wide variety of patient data that RansomHub claims to be selling is a testament to Change Healthcare’s role as a critical intermediary between insurers and health care providers, facilitating payments between both parties and collecting reams of sensitive information about patients and their medical procedures in the process.
Among the sample records that RansomHub posted are a list of open claims handled by the company’s EquiClaim subsidiary that includes patient and provider names; a hospital record for a 74-year-old woman in Tampa, Florida; and part of a database record related to US military service members’ health care.
RansomHub said it would allow individual insurance companies that worked with Change Healthcare and had their data compromised to pay ransoms to prevent the sale of their records. It specified that it was selling data belonging to MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.
Change Healthcare’s “processing of sensitive data for all of these companies is just something unbelievable,” RansomHub said in its announcement.
Most firms whose data RansomHub claims to possess did not immediately respond to WIRED’s request for comment.
Mike DeAngelis, the executive director of corporate communications for CVS Health says the company is “aware of unsubstantiated claims from threat actors that confidential data, including personal information of patients and members belonging to multiple organizations, was accessed as part of Change Healthcare’s cyber security incident.”
“We are closely monitoring Change Healthcare’s response to this issue and will provide updates with more information as appropriate,” DeAngelis adds, noting that Change Healthcare has not yet confirmed that patient data “was impacted by this incident.”
Brett Callow, a threat analyst at the security firm Emsisoft who closely tracks ransomware gangs, says the new sale of stolen data was probably “less about actually selling the data” and more about putting Change Healthcare—and the partner companies whose records it failed to protect—“under additional pressure to pay.”
Change Healthcare appears to have paid a $22 million ransom to AlphV to stop it from leaking terabytes of stolen data.
Two months into the crisis spawned by the ransomware attack, Change Healthcare has faced mounting losses. The company recently reported spending $872 million responding to the incident as of March 31.
At the same time, Change is under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it’s taking to prevent another hack.
A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector’s cyber posture on Tuesday, with key lawmakers saying they were disappointed that UnitedHealth Group declined to make an executive available to testify. And the Department of Health and Human Services is investigating whether Change Healthcare’s failure to prevent hackers from accessing and stealing its data violated federal data-security rules.
Updated 4/16/2024, 5:38 pm ET: Added additional details about the firms whose data RansomHub claims to possess.