The RansomHub extortion gang has begun leaking what they declare is company and affected person knowledge stolen from United Well being subsidiary Change Healthcare in what has been a protracted and convoluted extortion course of for the corporate.
In February, Change Healthcare suffered a cyberattack that brought on huge disruption to the US healthcare system, stopping pharmacies and medical doctors from billing or sending claims to insurance coverage corporations.
The assault was finally linked to the BlackCat/ALPHV ransomware operation, who later stated they stole 6 TB of information through the assault.
After going through elevated strain from regulation enforcement, the BlackCat gang shut down their operation. This occurred amid claims they had been pulling an exit rip-off by stealing a $22 million Change Healthcare ransom cost from the affiliate who carried out the assault.
Whereas Change Healthcare has declined to touch upon whether or not it has paid a ransom, the affiliate often known as “Notchy” stated they’d extort Change Healthcare once more as they nonetheless had the corporate’s knowledge.
A real double-extortion
After BlackCat shut down, the affiliate, Notchy, partnered with the RansomHub ransomware gang to extort Change Healthcare as soon as once more, regardless that the corporate allegedly already paid a ransom.
The risk actor issued an announcement on the RansomHub knowledge leak web site saying that every one the information can be launched if Change Healthcare and United Well being didn’t “attain a deal” with them.
Immediately, every week later, the risk actors have begun to leak screenshots of information they declare had been stolen from Change Healthcare through the February ransomware assault.
The screenshots embrace data-sharing agreements between Change Healthcare and insurance coverage suppliers, together with CVS Caremark, Well being Internet, and Loomis. Different paperwork include accounting knowledge, together with getting old experiences, insurance coverage cost experiences, and different monetary info.
Nevertheless, what’s most regarding is that the leaked knowledge additionally incorporates affected person info, together with quantities owed and payments for affected person care companies rendered.
The risk actors now say that Change Healthcare has 5 days to pay an extortion demand, or the risk actors will promote the information to the very best bidder.
Whereas BleepingComputer can not confirm whether or not the leaked knowledge was stolen from Change Healthcare, it does seem to belong to the corporate.
BleepingComputer contacted the corporate with questions in regards to the leak however a reply was not instantly obtainable.