Round 2: Change Healthcare Targeted in Second Ransomware Attack

RansomHub, which is speculated to have some connection to ALPHV, has stolen 4TB of sensitive data from the beleaguered healthcare company.

Dark Reading Staff, Dark Reading

April 8, 2024

2 Min Read
A medical professional wearing scrub attire clicking on a screen in front of her
Source: Lenetstan via Shutterstock

Change Healthcare reportedly is facing another attack, this time by ransomware gang RansomHub, just weeks after it became a victim in an ALPHV/BlackCat cyberattack.

RansomHub is demanding an extortion payment for an alleged 4TB of data it stole from the company; otherwise, it's threatening to sell the data to the highest bidder in 12 days.

The stolen information contains the sensitive data of US military personnel and patients, as well as medical records and financial information, among other things.

"Change Healthcare and United Health, you have one chance in protecting your clients data," RansomHub reportedly said. "The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted."

This puts Change Healthcare, a subsidiary of United Healthcare, in what likely is a difficult position in having to decide whether or not paying the ransom is its best option when it has only just gotten back on its feet from the last attack. 

According to Malachi Walker, security adviser at DomainTools, whose team has been following ALPHV/BlackCat's activity, "this new information supports a few theories that our team has suggested; but no matter the case, it's unfortunate that Change Healthcare is caught in the middle of this conflict between two rival gangs," he said in an emailed statement.

"Even if not connected to BlackCat, RansomHub could be claiming ties to their victims to scare them into making a payment," he added. "There is a vast underground economy booming around the ransomware scene today where affiliate programs recruit on hacker forums, initial access brokers sell footholds into organizational networks, and ransomware groups collaborate to share information."  

Though there is significant speculation regarding whether ALPHV rebranded to RansomHub, or if there is any connection at all, Walker said there is no confirmation, as it's too early to tell.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights