Twist In Change Healthcare Ransom Attack

The RansomHub extortion gang is leaking what they say is corporate and patient data stolen from Change Healthcare, a United Health subsidiary. Bleeping Computer calls the healthcare ransom attack a long, convoluted, double-extortion.

The scam happened in February. It caused an immediate and huge disruption in the entire healthcare system by preventing pharmacies and doctors from billing or sending claims to insurance companies. It was pinned on the BlackCat/ALPHV ransomware gang, which was pressured into shutting down by law enforcement.

Part of the mystique around cyber gangs is how they shape-shift, and take vast sums of money with them when they mutate. BlackCat claimed its final act would be the theft of a $22 million ransom payment from the affiliate who conducted the Change Healthcare attack.

The affiliate, “Notchy,” claimed it would continue to extort Change Healthcare, which has declined comment on whether it paid a ransom. Now Notchy, in partnership with the RansomHub gang, has extorted Change Healthcare a second time. The new entity issued a threat to release all the data it had if no deal was reached.

A week later screenshots of files allegedly stolen from Change Healthcare began to appear. They include patient information including bills for care services, data-sharing agreements between Change Healthcare and insurance providers, accounting data, insurance payment reports, and other financial information.

When the Bleeping Computer article was published on April 15, Notchy and company said that Change Healthcare had five days to pay up or all the data would be sold to the highest bidder.