Stolen Change Healthcare data could contain information on ‘a substantial portion’ of Americans

Sensitive and personal health information related to “a substantial portion of people in America” could be among the data stolen by cybercriminals who attacked Change Healthcare in February, the company said in a statement Monday.

Nearly two dozen screenshots purportedly from roughly 4 terabytes of Change Healthcare data were posted April 7 to the website operated by RansomHub, a website whose operators either auction off previously hacked data or conduct attacks themselves. RansomHub gave Change Healthcare until April 20 to buy the data before it was to be sold to the highest bidder.

The screenshots, viewed by CyberScoop on April 15, included alleged partner agreements between Change Healthcare and other companies, invoices, Medicare claims data, individual patient records, an audit and other material. 

The material and RansomHub listing for Change Healthcare has been pulled down entirely, although it’s not clear why. A RansomHub representative did not respond to a request for comment Tuesday. 

The company’s statement came the same day Change Healthcare acknowledged having paid a ransom shortly after the initial attack in February. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” a company spokesperson told CyberScoop late Monday.

The spokesperson did not answer questions about whether the company engaged with RansomHub. The revelations come a week before the chief executive of UnitedHealth Group, the parent company of Change Healthcare, is scheduled to testify before a congressional committee. 

Lawmakers have been intensely critical of Change Healthcare’s handling of personal data and whether, more broadly, UnitedHealth Group’s dominant position in the U.S. health care industry represents a systemic threat. UnitedHealth Group, which reported nearly $100 billion in revenue in the first quarter of 2024, had previously reported that the hack contributed $872 million in losses, a total that could exceed $1 billion. 

Earlier Monday, the Wall Street Journal reported that attackers gained access to Change Healthcare’s networks on Feb. 12, more than a week before the attack became public Feb. 21, using compromised credentials on an application that allows staff to remotely access systems. 

A message briefly posted to the ALPHV ransomware website claimed responsibility for the attack. 

The administrators of that site reportedly collected a $22 million ransom payment on March 1 before posting a phony law enforcement takedown notice and shuttering the website. That money moved around to various cryptocurrency accounts over the course of March, showing signs that the people controlling those accounts were attempting to obscure the final destination of the money, CyberScoop reported April 5.

Meanwhile, a persona calling itself “notchy” that claimed to have been the one who actually carried out the attack using ALPHV’s platform, said shortly after the site shuttered that the ALPHV admins had withheld their portion of the ransom payment. 

Notchy claimed to have 4 terabytes of data, but it wasn’t clear whether notchy had taken that data to RansomHub.