The RansomHub extortion gang has begun leaking what they declare is company and affected person information stolen from United Well being subsidiary Change Healthcare in what has been an extended and convoluted extortion course of for the corporate.
In February, Change Healthcare suffered a cyberattack that induced large disruption to the US healthcare system, stopping pharmacies and medical doctors from billing or sending claims to insurance coverage corporations.
The assault was in the end linked to the BlackCat/ALPHV ransomware operation, who later stated they stole 6 TB of data during the attack.
After going through elevated stress from regulation enforcement, the BlackCat gang shut down their operation. This occurred amid claims they had been pulling an exit rip-off by stealing a $22 million Change Healthcare ransom cost from the affiliate who performed the assault.
Whereas Change Healthcare has declined to touch upon whether or not it has paid a ransom, the affiliate referred to as “Notchy” stated they’d extort Change Healthcare once more as they nonetheless had the corporate’s information.
A real double-extortion
After BlackCat shut down, the affiliate, Notchy, partnered with the RansomHub ransomware gang to extort Change Healthcare as soon as once more, though the corporate allegedly already paid a ransom.
The menace actor issued an announcement on the RansomHub information leak website saying that each one the information can be launched if Change Healthcare and United Well being didn’t “attain a deal” with them.
In the present day, per week later, the menace actors have begun to leak screenshots of information they declare had been stolen from Change Healthcare throughout the February ransomware assault.
The screenshots embrace data-sharing agreements between Change Healthcare and insurance coverage suppliers, together with CVS Caremark, Well being Internet, and Loomis. Different paperwork comprise accounting information, together with growing older stories, insurance coverage cost stories, and different monetary info.
Nevertheless, what’s most regarding is that the leaked information additionally incorporates affected person info, together with quantities owed and payments for affected person care providers rendered.
The menace actors now say that Change Healthcare has 5 days to pay an extortion demand, or the menace actors will promote the information to the very best bidder.
Whereas BleepingComputer can not confirm whether or not the leaked information was stolen from Change Healthcare, it does seem to belong to the corporate.
BleepingComputer contacted the corporate with questions concerning the leak however a reply was not instantly obtainable.
