Change Healthcare Faces New Cybersecurity Nightmare as Ransomware Group Sells Americans’ Sensitive Data

Change Healthcare, a major player in the healthcare industry, is facing a new cybersecurity nightmare as a ransomware group known as RansomHub has begun selling what they claim to be sensitive medical and financial records stolen from the company. The group has made a bold statement, saying, “For most US individuals out there doubting us, we probably have your personal data.”

The stolen data reportedly includes medical and dental records, payment claims, insurance details, and personal information such as Social Security numbers and email addresses. RansomHub even claimed to have data on active-duty US military personnel. This massive breach of sensitive health care data is a direct result of the cyberattack on Change Healthcare back in February, which caused chaos in the US health care system as hospitals struggled to operate without regular funding.

Change Healthcare, a subsidiary of UnitedHealth Group, has acknowledged the breach by the ransomware gang known as BlackCat or AlphV. The company is currently investigating RansomHub’s claims about possessing their stolen data. RansomHub has gone as far as offering individual insurance companies the opportunity to pay ransoms to prevent the sale of their records, specifically naming companies like MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.

The situation has put immense pressure on Change Healthcare and its partner companies, with the threat analyst Brett Callow suggesting that the sale of stolen data is a tactic to force them to pay up. Change Healthcare reportedly paid a $22 million ransom to AlphV to prevent the leak of terabytes of stolen data. As a result of the cyberattack, Change Healthcare has incurred significant losses, spending $872 million in response to the incident as of March 31.

Lawmakers and regulators are now demanding answers from Change Healthcare regarding their cybersecurity lapse and the measures being taken to prevent future attacks. A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector’s cybersecurity posture, expressing disappointment that UnitedHealth Group declined to provide an executive for testimony. The Department of Health and Human Services is also investigating whether Change Healthcare’s failure to prevent hackers from accessing and stealing data violated federal data-security rules.

This ongoing cybersecurity crisis has highlighted the vulnerability of sensitive health care data and the urgent need for robust cybersecurity measures in the industry. The repercussions of this breach are far-reaching, impacting not only Change Healthcare but also the millions of individuals whose personal information may now be in the hands of cybercriminals.