cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

RansomHub pulls trigger on Change Healthcare early, data ‘now for sale’

After almost two months, threat actors have announced that data exfiltrated from Change Healthcare back in February is finally for sale.

user icon Daniel Croft
Wed, 17 Apr 2024
RansomHub pulls trigger on Change Healthcare early, data ‘now for sale’
expand image

RansomHub, the second ransomware gang to list data belonging to the UnitedHealth subsidiary taken from an attack earlier this year, announced that the data is now available for purchase, having only yesterday (16 April) posted a sample of the data.

“The data is now for sale. Anyone interested in the purchase should contact RansomHub,” said the threat group.

Interestingly, as reported yesterday by Cyber Daily, RansomHub had initiated a countdown for the release and/or sale of Change Healthcare data, and at the time of the sale listing, the countdown still had roughly four days left.


RansomHub has reiterated that the stolen data belongs to “tens of insurance companies, including and not limited to Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, Heath Net, MetLife, Teachers Health Trust and tens of [other] insurance companies”.

Additionally, this data includes medical records, dental records, claims information, payment information, and the personally identifiable information (PII) of both patients and active US military and navy personnel, including phone numbers, addresses, social security numbers, emails and more, over 3,000 source code files, insurance records and “many more.”

“Change Health[care] and UnitedHealth processing of sensitive data for all of these companies is just something unbelievable,” added RansomHub.

“For most US individuals out there doubting us, we probably have your personal data.”

Interestingly, in what appears to be a last-ditch effort, RansomHub has made a call out to the affected insurance companies, letting them know that they can have their data removed from the total sale data if they “contact” the threat group, which likely means negotiate a ransom.

“Affected insurance providers can contact us to prevent leaking of their own data and removing from the sale.”

RansomHub’s new listing comes only a day after the group posted a sample of the exfiltrated Change Healthcare data, taunting the healthcare provider by advertising the data to other threat actors.

“Before our final reveal, below you will find attached screenshots of just a mere sample of data we have,” said RansomHub.

“It is just unbelievable the amount and sensitivity of data that Change Healthcare was in possession of.

“If Change Healthcare / United Health don’t care about your data, maybe you should ...”

This cyber incident has been a major saga for UnitedHealth and Change Healthcare, with the company having already paid a ransom to the previous threat group that claimed responsibility for the attack, ALPHV.

ALPHV received a US$22 million ransom payment, only to disband and run away with the money, leaving the ransomware affiliate “Notchy” and Change Healthcare without what they were promised.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.