cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Change Healthcare leak countdown begins as RansomHub posts data sample

The leak of Change Healthcare data has, at long last, begun after the RansomHub threat group posted a sample of the allegedly stolen data and initiated a countdown for the full release.

user icon Daniel Croft
Tue, 16 Apr 2024
Change Healthcare leak countdown begins as RansomHub posts data sample
expand image

For context, Change Healthcare, a subsidiary of major US healthcare organisation UnitedHealth, was hacked in February. The company originally blamed state-sponsored hackers before ALPHV took credit for the attack.

ALPHV was paid a ransom of US$22 million, which it then pocketed without paying the affiliate behind the attack, claiming it had been taken down by the FBI as an exit strategy. Despite an angry back and forth, the affiliate, Notchy, was never paid, and thus Change Healthcare’s systems were not restored, and stolen data was not deleted.

RansomHub then claimed to have the Change Healthcare data and demanded that the organisation pay them a ransom.


Now, the group is threatening to release an alleged four terabytes of exfiltrated data in under five days at the time of writing and has posted a lengthy sample of the data to prove legitimacy.

“Before our final reveal, below you will find attached screenshots of just a mere sample of data we have,” said RansomHub.

“It is just unbelievable the amount and sensitivity of data that Change Healthcare was in possession of.

“Below evidence shows a sample of data for major insurance providers including Metlife, CVS Caremark, Tricare, Medicare, and others.”

The threat group’s message appears to cater to other threat actors, urging the sensitivity and value of the stored data, likely in an attempt to taunt and scare UnitedHealth into paying up.

“If Change Healthcare / United Health don’t care about your data, maybe you should ...,” the group added.

“Given that the data is extremely huge and analyzing the data needs a lot of time, based on our initial analysis the data combines all the different clients in a single process.

“Meaning you could find PII/PHI for several insurance providers in a single processing file (i.e CVS / Metlife / Medicare etc).

“The more we go through the data the more we are shocked of the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself.”

Sample data includes data sharing and trading partner agreements, medical claims data, patient names, places of treatment, birth dates, sex, medical record numbers (MRNs), referral numbers, home and mobile phone numbers, payer contracts and more.

“Five days remain on the clock. The devastating effect can be still mitigated. Insurance providers should be really concerned as this will impact them and their clients beyond measure,” RansomHub said.

In its previous statement, RansomHub said the data includes information on Change Healthcare partners and clients from Medicare, Tricare, CVS Caremark, Loomis, Davis Vision, Health Net, MetLife, Teachers Health Trust and tens of insurance companies and others.

It also said that other data includes the personally identifiable information (PII) of US military and navy personnel, dental records, mental records, payment information, patient PII, and over 3,000 source code files for Change Health Solutions.

If Change Healthcare does not pay a ransom, RansomHub has said that the data will be up for sale “to the highest bidder”.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.