Change Healthcare is going through a brand new cybersecurity nightmare after a ransomware group started promoting what it claims is People’ delicate medical and monetary information stolen from the health care giant.
“For many US people on the market doubting us, we most likely have your private knowledge,” the RansomHub gang mentioned in an announcement seen by WIRED.
The stolen knowledge allegedly consists of medical and dental information, cost claims, insurance coverage particulars, and private data like Social Safety numbers and e-mail addresses, in keeping with screenshots. RansomHub claimed it had well being care knowledge on active-duty US navy personnel.
The sprawling theft and sale of delicate well being care knowledge represents a dramatic new type of fallout from the February cyberattack on Change Healthcare that crippled the corporate’s claims-payment operations and despatched the US well being care system into disaster as hospitals struggled to remain open with out common funding.
Change Healthcare, a subsidiary of UnitedHealth Group, beforehand acknowledged {that a} ransomware gang referred to as BlackCat or AlphV breached its techniques, and instructed WIRED final week that it’s investigating RansomHub’s claims about possessing the corporate’s stolen knowledge. Change Healthcare didn’t instantly reply to a request for remark in regards to the group’s alleged sale of its knowledge.
The big variety of affected person knowledge that RansomHub claims to be promoting is a testomony to Change Healthcare’s position as a important middleman between insurers and well being care suppliers, facilitating funds between each events and gathering reams of delicate details about sufferers and their medical procedures within the course of.
Among the many pattern information that RansomHub posted are an inventory of open claims dealt with by the corporate’s EquiClaim subsidiary that features affected person and supplier names; a hospital report for a 74-year-old girl in Tampa, Florida; and a part of a database report associated to US navy service members’ well being care.
RansomHub mentioned it could enable particular person insurance coverage corporations that labored with Change Healthcare and had their knowledge compromised to pay ransoms to stop the sale of their information. It specified that it was promoting knowledge belonging to a number of main insurance coverage corporations.
Change Healthcare’s “processing of delicate knowledge for all of those corporations is simply one thing unbelievable,” RansomHub mentioned in its announcement.
Brett Callow, a risk analyst on the safety agency Emsisoft who intently tracks ransomware gangs, says the brand new sale of stolen knowledge was most likely “much less about truly promoting the information” and extra about placing Change Healthcare—and the companion corporations whose information it failed to guard—“beneath extra strain to pay.”
Change Healthcare appears to have paid a $22 million ransom to AlphV to cease it from leaking terabytes of stolen knowledge.
Two months into the disaster spawned by the ransomware assault, Change Healthcare has confronted mounting losses. The corporate just lately reported spending $872 million responding to the incident as of March 31.
On the identical time, Change is beneath rising strain from lawmakers and regulators to clarify its cybersecurity lapse and the steps it’s taking to stop one other hack.
A subcommittee of the Home Power and Commerce Committee held a listening to on the well being sector’s cyber posture on Tuesday, with key lawmakers saying they had been disappointed that UnitedHealth Group declined to make an government obtainable to testify. And the Division of Well being and Human Providers is investigating whether Change Healthcare’s failure to stop hackers from accessing and stealing its knowledge violated federal data-security guidelines.