The RansomHub extortion gang has begun leaking what they declare is company and affected person information stolen from United Well being subsidiary Change Healthcare in what has been a protracted and convoluted extortion course of for the corporate.
In February, Change Healthcare suffered a cyberattack that brought about large disruption to the US healthcare system, stopping pharmacies and medical doctors from billing or sending claims to insurance coverage corporations.
The assault was finally linked to the BlackCat/ALPHV ransomware operation, who later stated they stole 6 TB of information through the assault.
After dealing with elevated strain from legislation enforcement, the BlackCat gang shut down their operation. This occurred amid claims they have been pulling an exit rip-off by stealing a $22 million Change Healthcare ransom cost from the affiliate who carried out the assault.
Whereas Change Healthcare has declined to touch upon whether or not it has paid a ransom, the affiliate generally known as “Notchy” stated they’d extort Change Healthcare once more as they nonetheless had the corporate’s information.
A real double-extortion
After BlackCat shut down, the affiliate, Notchy, partnered with the RansomHub ransomware gang to extort Change Healthcare as soon as once more, regardless that the corporate allegedly already paid a ransom.
The risk actor issued an announcement on the RansomHub information leak website saying that each one the information can be launched if Change Healthcare and United Well being didn’t “reach a deal” with them.
At the moment, per week later, the risk actors have begun to leak screenshots of recordsdata they declare have been stolen from Change Healthcare through the February ransomware assault.
The screenshots embrace data-sharing agreements between Change Healthcare and insurance coverage suppliers, together with CVS Caremark, Well being Internet, and Loomis. Different paperwork include accounting information, together with growing older studies, insurance coverage cost studies, and different monetary data.
Nonetheless, what’s most regarding is that the leaked information additionally comprises affected person data, together with quantities owed and payments for affected person care companies rendered.
The risk actors now say that Change Healthcare has 5 days to pay an extortion demand, or the risk actors will promote the information to the best bidder.
Whereas BleepingComputer can’t confirm whether or not the leaked information was stolen from Change Healthcare, it does seem to belong to the corporate.
BleepingComputer contacted the corporate with questions in regards to the leak however a reply was not instantly out there.
