The Change Healthcare attack that disrupted medical care across the US was indeed settled by a ransom payment, as new information from ownership group UnitedHealth reveals. The group has still not issued a formal breach notification, but did provide a general update on the situation that confirms a substantial amount of personally identifiable information was taken but that full medical records were not among the patient data that was stolen.
The update does not entirely clarify exactly what was in the 6 TB of patient data the attacker claimed to have, but the initial ransom payment does not appear to have secured the situation. The former AlphV affiliate that perpetrated the attack has taken the data to a new extortion service and is demanding a second payment, given that they were “exit scammed” out of the first one. UnitedHealth said that it will likely take weeks, and possibly months, to review the data and notify impacted parties of exactly what was taken.
Patient data theft may impact one out of three in US
The attack was one of the most damaging ever to the healthcare industry due to Change Healthcare’s handling of tens of billions of transactions, far more than the amount of customers it has. Breach notifications may ultimately be going out to about a third of the adult population of the country, and Change is projecting a loss of over $100 billion when all is said and done.
Next to its revenues and the projected loss, the $22 million ransom payment seems paltry. And given the amount of money involved and the sensitivity of the patient data, it is entirely possible Change will make a second payment. But the threat is now limited to extortion and public leaking, rather than another crippling deployment of ransomware.
Before they pulled their exit scam, AlphV/BlackCat had threatened to exclusively target healthcare organizations in retribution for an attempted FBI takedown of the group. Some of those members are strongly suspected to have fled to RansomHub, a new group that has been highly active and that appears to be facilitating the second shakedown of Change using the existing stolen patient data. The industry is not only extremely lucrative in terms of the information that can be stolen, but in the pressure that can be applied when vital medical functions are shut down.
Former AlphV affiliate emerges to seek second ransom payment
The hacker has thus far leaked some small amount of patient data in the form of screenshots, but UnitedHealth Group says that it has not yet found any indication on the dark web of sale or a mass leak of the stolen information. The former AlphV affiliate who stole the data, a hacker going by the name of Notchy, is threatening to sell it to the highest bidder if a second ransom payment does not end up being made.
The group also says that it is mostly recovered from the ransomware deployment, but some trouble spots remain. Pharmacies were crippled by inability to process patient insurance for needed medication, but the group says that 99% are now back to normal operations. Internal payment processing capacity is mostly restored, as is function of the group’s products and platforms. The most impacted remaining groups are smaller and more rural health care providers who are being addressed with alternate systems to submit medical claims.