Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling Americans’ sensitive medical and financial records allegedly stolen from the healthcare giant.
“For most Americans who doubt us, we probably have your personal data,” the RansomHub gang said in a statement seen by WIRED.
Screenshots show that the stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information such as Social Security numbers and email addresses. RansomHub claims to have healthcare data on active duty U.S. military personnel.
The massive theft and sale of sensitive healthcare data is a dramatic new fallout from the February cyberattack on Change Healthcare that crippled the company’s claims payment business and crippled the U.S. healthcare system. crisis as hospitals struggle to stay open without regular funding. .
Change Healthcare, a unit of UnitedHealth Group, previously acknowledged that a ransomware gang known as BlackCat, or AlphV, compromised its systems and told Wired last week that it was investigating RansomHub’s claims that the company was Claims of data theft. Change Healthcare did not immediately respond to a request for comment about the organization’s alleged sale of its data.
The various patient data RansomHub claims to have sold is evidence of Change Healthcare’s role as a key intermediary between insurance companies and healthcare providers, facilitating payments between the parties and, in the process, collecting vast amounts of sensitive information about patients and their medical procedures. .
Among the sample records released by RansomHub include a list of pending claims handled by the company’s subsidiary EquiClaim, which includes patient and provider names; hospital records for a 74-year-old woman in Tampa, Florida; and a database related to U.S. military health care part of the record.
RansomHub said it will allow individual insurance companies that work with Change Healthcare and whose data was compromised to pay a ransom to prevent their records from being sold. It explicitly states that it is selling data belonging to MetLife, CVS Caremark, Davis Vision, Health Net and Teachers Health Trust.
RansomHub said in its statement that Change Healthcare “handles sensitive data for all of these companies beyond belief.”
Most of the companies RansomHub claims have its data did not immediately respond to WIRED’s request for comment.
Mike DeAngelis, executive director of corporate communications at CVS Health, said the company is “aware of unsubstantiated claims by threat actors that confidential data, including the personal information of patients and members belonging to multiple organizations, was compromised as part of the Change Healthcare cybersecurity incident.” Visited” “.
“We are closely monitoring Change Healthcare’s response to this issue and will provide updates with additional information as appropriate,” DeAngelis added, noting that Change Healthcare has not yet confirmed that patient data “was impacted by this incident.”
Brett Callow, a threat analyst at security firm Emsisoft who closely tracks ransomware gangs, said the new sale of stolen data may be “less about an actual sale of data” and more about an effort to convert Change Healthcare and Partner companies whose track records are failing are put at risk. Protection – “under additional pressure to pay”.
Change Healthcare appears to have paid a $22 million ransom to AlphV to prevent it from leaking large amounts of stolen data.
Two months after a ransomware attack sparked a crisis, Change Healthcare is facing mounting losses. The company recently reported that it had spent $872 million responding to the incident as of March 31.
Change, meanwhile, faces growing pressure from lawmakers and regulators to explain its cybersecurity breaches and the steps it took to prevent another hack.
A subcommittee of the House Energy and Commerce Committee held a hearing on the health department’s cyber posture on Tuesday, with leading lawmakers saying they were disappointed with UnitedHealth Group’s refusal to allow executives to testify. The U.S. Department of Health and Human Services is investigating whether Change Healthcare violated federal data security rules by failing to prevent hackers from accessing and stealing its data.
Update April 16, 2024 at 5:38 PM ET: Added more details about the company RansomHub claims to have its data.