Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Change Healthcare faces new ransom demand

Change Healthcare faces new ransom demand

Another ransomware organization claims to have data from Change Healthcare.


What happened

One of the biggest events in the cybersecurity world, the attack on Change Healthcare, continues to make waves across the healthcare industry. 

The attack, which occurred on February 21st, 2024, resulted in over 100 applications being shut down and numerous delays in healthcare operations. The attack was felt across the country as providers and pharmacies were unable to process insurance claims. Ultimately, the ransomware organization, BlackCat, also known as ALPHV, claimed responsibility, potentially as a counterattack against a recent FBI disruption

In recent news, Change Healthcare's parent company, UnitedHealth Group, paid a $22 million ransom to the organization. In return, they received a decryptor key and BlackCat’s word that the data wouldn’t be leaked. Unfortunately, paying the ransom didn’t end all of UnitedHealth’s troubles.  

Read more: Going deeper: The Change Healthcare attack


What’s new

Now, a different ransomware organization, RansomHub, claims to have 4 terabytes of data. It’s alleged that after UnitedHealth paid the ransom, a BlackCat affiliate never received their share. 

BlackCat’s website has since gone down, with a statement that the FBI has seized it. However, the FBI has debunked this message. 

According to news reports, RansomHub’s dark web site now has a statement reading, “ALPHV stole the $22 million USD ransom that Change Healthcare and UnitedHealth paid in order to restore their systems and prevent the data leak. However, we have the data, not ALPHV.” 

RansomHub stated that the information relates to “all Change Healthcare clients that have sensitive data being processed by the company.”  

It remains unclear if RansomHub is an affiliate of BlackCat, a rebranded version of the organization, or exists as a separate actor. 


What was said

In a statement from UnitedHealth, the organization said they are “aware of these reports and continue to work with the authorities.” 

Brett Callow, a threat analyst at Emsisoft, said it’s also possible that RansomHub is bluffing. He said, “As law enforcement ramps up counter-ransomware efforts, it’s not unlikely that we’ll see more incidents like this, with the criminals scamming each other, scamming victims and trying to create confusion in order to evade sanctions.” 


Why it matters

Experts have long advised companies to refuse to pay ransoms. Unfortunately, it can make companies more likely to be attacked again. It also often involves trusting the criminal to delete or decrypt data. 

Despite this, many organizations face significant pressure to pay off the malicious actors. In UnitedHealth’s case, without a decryptor, numerous healthcare operations may have continued to be delayed. As it remains, the company is in a precarious position, especially as RansomHub’s connection to the stolen data is unclear. This time, UnitedHealth may choose not to pay.  

Go Deeper: Refusal to pay is the newest strategy to combat ransom attacks

Read moreHIPAA Compliant Email: The Definitive Guide

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.