Change Healthcare [1] [2] [3] [4] [5] [6] [7] [8], a subsidiary of UnitedHealth Group [3] [4] [8], recently fell victim to a ransomware attack by the group ALPHV, resulting in the theft of sensitive data and a demand for ransom. This breach has raised concerns about the security of patient information and the increasing threat of cyberattacks in the healthcare industry.


Change Healthcare [1] [2] [3] [4] [5] [6] [7] [8], a subsidiary of UnitedHealth Group [3] [4] [8], was recently breached in a ransomware attack by the group ALPHV, with an associate known as “notchy” also involved in the cyberattack [7]. The attackers stole 6 terabytes of data, including personal information of Change patients such as medical records, payment details [4], and personally identifiable information (PII) of active US military personnel and other patients [6]. RansomHub [1] [2] [3] [4] [5] [6] [7] [8], a dark web site [7], is now threatening to sell over 4 TB of this data if Change Healthcare does not pay the ransom by April 20 [7]. The involvement of a middleman in the ransomware attack has added complexity and risk [6], complicating negotiations and payment to the threat actors [6]. If the ransom is not paid within 12 days [6], the dataset will be sold to the highest bidder [6] [7]. Senators Josh Hawley and Richard Blumenthal have demanded accountability from UnitedHealth Group following the ransomware attack on Change Healthcare [6], seeking information on UHG’s redundancy measures [6], timeline of events related to the attack [6], and how UHG is addressing revenue gaps for providers affected by the breach [6]. Last year, there was a record-breaking number of health care data breaches [6], with over 144 million Americans’ medical information stolen or exposed [6], highlighting the surge in health care data breaches due to ransomware attacks and increased targeting of third-party vendors used by hospitals and health care providers [6], putting patients at risk of identity theft or insurance fraud [6]. Change Healthcare is facing threats from a second ransomware group called RansomHub [3], who have obtained 4 terabytes of sensitive data and are demanding payment to prevent the data from being sold on the dark web [3]. This development was first reported by cybersecurity analyst Dominic Alvieri on April 7 [3]. It has been suggested that Change Healthcare paid a $22 million ransom to the BlackCat/ALPHV ransomware gang [5], leading to accusations of an exit scam by the gang [5]. Threat actor RansomHub claims to have exfiltrated Change Healthcare data and is attempting to extort the company [5]. It is unclear if RansomHub has any direct connection to BlackCat/ALPHV or how they obtained the data [5], raising the possibility that they may be trying to profit from the previous attack [5]. Change Healthcare had previously paid a $22 million ransom to the BlackCat/ALPHV group following a cyberattack in February [3], which disrupted their claims processing systems nationwide [3]. The company is currently working with authorities to address the situation [3].


The ransomware attack on Change Healthcare has highlighted the vulnerabilities in the healthcare industry’s data security and the increasing sophistication of cyber threats. It is crucial for organizations to enhance their cybersecurity measures to protect patient information and prevent future breaches. The implications of this attack extend beyond financial losses, as patient trust and safety are also at stake. Collaboration between healthcare providers, government agencies, and cybersecurity experts is essential to mitigate the risks posed by ransomware attacks and safeguard sensitive data.