Update April 16, 2024: RansomHub leaked the Change Healthcare patient data it was holding, according to TechCrunch.  Some of the files also contain contracts between Change Healthcare and its partners.

Fool me once; shame on you. Fool me twice; shame on me.

Change Healthcare, a subsidiary of UnitedHealth Group has been hit with a second ransomware demand, a brazen act linked to the first massive data breach it suffered in February.

The ALPHV/BlackCat ransomware group claimed to have looted over 6TB of data from Change Healthcare, including individuals’ payment details, insurance records, and other types of personal and sensitive information. In the aftermath of the February cyber attack that left healthcare organizations across the country reeling, it was alleged that Change Healthcare had paid a staggering $22 million ransom to the BlackCat group.

Another group, RansomHub, now claims to possess 4TB of Change Healthcare data and is demanding payment or it will release the data.

The dizzying turn of events is related to how ransomware groups work together and share payments. Ransomware as a Service (RaaS) happens when one lead group uses affiliate groups to assist with a big attack. If a ransom is paid, the lead group shares the proceeds with the affiliates. Some security experts believe that the BlackCat group did not share the $22 million payment in the Change Healthcare incident, so the RansomHub group broke off to make its own demand.

Paying a Ransom is a Huge Risk

UnitedHealth Group faced enormous pressure during the early days and weeks after the cyber attack. The incident affected military pharmacies worldwide; the American Hospital Association (AHA) called it the most damaging cyber attack in history; HHS published Dear Colleagues letter to the healthcare industry and initiated an investigation; and thousands of providers were financially devastated, unable to obtain reimbursements.

In the face of pressure, the company appears to have decided to pay the ransom, hoping to speed data recovery and resume normal operations sooner. But the strategy failed.

The FBI strongly discourages paying a ransom to cybercriminals for several reasons:

  • Criminals cannot be trusted to return or not resell the data.
    • In this case, the original group that made the extortion demand, didn’t even control all the data. A likely scenario is that a disgruntled affiliate still held the data but hadn’t received its share of the ransom, so they decided to make a second demand. Perhaps they felt that if Change Healthcare paid once, they’ll pay again.
  • Paying ransom hurts the entire industry because it encourages other criminals to steal data and extort from others.
  • Once the data is exfiltrated, it’s usually still available somewhere on the dark web, through copies, resale, etc.

Follow the HIPAA Security Rule

The best current advice about preventing, detecting and recovering from ransomware can be found at StopRansomware.gov.

For healthcare organizations, review your HIPAA compliance program to ensure you’re up-to-date: an annual risk analysis, a risk management program, and workforce training.

Free HIPAA Checklist
What best describes you?