Change Healthcare has been the victim of another major cyberattack just weeks after a major ransomware attack brought down its systems and caused delays in prescription services across the United States.
In its second cyber incident of 2024, the company has had a rough start to the year after suffering a major breach orchestrated by the notorious ALPHV/BlackCat threat collective.
In this latest incident, a relatively new threat actor known as RansomHub claims to have stolen 4 TB of sensitive data from the organization's network and has threatened to publish the information unless they receive a ransom payment.
The stolen information includes PII of active U.S. service members and other patients, medical records, insurance records, payment information, and more than 3,000 source code files for Change Healthcare solutions.
In a statement posted to the group's dedicated breach site, RansomHub provided a list of Change Healthcare partners affected by the attack, including Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, MetLife, Health Net, and more.
RansomHub, a relatively new player in the ransomware-as-a-service (RaaS) industry, first came onto the radars of security analysts in February 2024, after it published details of its first victim, the Brazilian management company company YKP, on its filtration site.
Since then, the group claims to have carried out 17 successful cyberattacks, although its leak site currently only lists 14 victims.
RansomHub warned that Change Healthcare must meet its demands and pay the ransom within 12 days or the data will be available for sale to the highest bidder.
Change Healthcare caught in the middle of an adversarial ransomware industry
It's been a rough start to the year for the American healthcare company, with reports claiming it paid the initial ransom demanded by ALPHV in February, only to be extorted once again by a separate hacking group.
Researchers monitoring the ALHPV group's crypto wallets pointed to a $22 million Bitcoin blockchain transaction as evidence that Change Healthcare paid the initial ransom, something Change Healthcare has not officially confirmed.
If true, this would constitute one of the largest ransom payments ever recorded in the US and would mean the healthcare organization faces a difficult decision about whether to relent and pay a second time.
In a communication from RansomHub to Change Healthcare, the group claims that the stolen data is the same as that exfiltrated during the initial cyberattack by ALPHV.
Some experts have suggested that the group is simply a rebranded version of the ALPHV group, in an attempt to intimidate the healthcare company into paying a second time.
According to RansomHub, ALPHV ran an “exit scam,” meaning the group absconded with the funds before compensating all affiliates involved in the attack.
RansomHub's statement alleges that affiliates involved in the original ALPHV attack did not receive their share of the ransom, typically 80% of the total fee, and the resulting discord among unpaid affiliates led to the group's fracture.
The group told the threat intelligence project. vx-underground that after ALPHV scammed its affiliates out of the $22 million ransom extracted from Change Healthcare, they left the group and are now “actively joining” RansomHub.
The statement claims that RansomHub now has control of the data stolen in the February breach and also wants payment. This suggests that those who participated in the original attack are also involved in this latest development and were able to share the data with the
Nick Tausek, principal security automation architect at security specialist Swimlane, said that regardless of the identity of the culprits, the attack will have serious consequences, with critical services disrupted.
“While it remains uncertain whether this latest attack comes from the same threat actors using a new alias or involves an entirely new group, the February incident underscores the intricate web of interdependence in the healthcare system,” he explained.
“Its impacts go beyond simple inconveniences and affect vital services such as pharmacy operations, eligibility checks and claims processing, all essential to patient care. The tangible consequences for human health serve as a stark reminder of the urgent need for robust cybersecurity measures across the industry.”