While Change Healthcare continues to try to restore all services following a damaging ransomware attack in February, they now face a new and concerning threat.
No Honor Among Thieves
On March 4, a threat actor calling themself “notchy” claimed that they had been involved in the attack on Change Healthcare and that their job was to exfiltrate data after AlphV locked the healthcare system’s files. According to the affiliate, they were to split any ransom with AlphV. But they allege that AlphV secured a $22 million ransom payment from Change Healthcare and then took the money and disappeared after blocking notchy’s account without paying them anything.
Change Healthcare has neither confirmed nor refuted whether it actually paid $22 million to get a decryptor key from AlphV. But importantly, the disgruntled affiliate claimed they still had 4 TB of data and were not going to delete it because they never got paid.
A New Threat
Yesterday, a new listing on a dark web leak site appeared to be by the affiliate, who is now claiming that if Change Healthcare UHG doesn’t pay them within 10 days, they will put the data up for sale. Their message reads:
Hello Change Health and United Health Groups,
As an introduction we will give everyone a fast update on what happened previously and on the current situation.
ALPHV stole the ransom payment (22 Million USD) that Change Healthcare and United Health payed in order to restore their systems and prevent the data leak.
HOWEVER we have the data and not ALPHV.
The data consists of over 4 TB of highly selective data. The data relates to all Change Health clients that have sensitive data being processed by the company.
The list of affected Change Health partners that we have sensitive data for is actually huge with names such as:
- Medicare
- Tricare
- CVS-CareMark
- Loomis
- Davis Vision
- Health Net
- MetLife
- Teachers Health Trust
- Tens of insurance companies and others
Data includes millions of:
- Active US military/navy personnel PII
- Medical records
- Dental records
- Payments information
- Claims information
- Patients PII including Phone numbers/addresses/SSN/emails/etc…
- 3000+ source code files for Change Health solutions
- Insurance records
- And many more
Change Healthcare and United Health you have one chance in protecting your clients data. The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.
In the event you fail to reach a deal the data will be up for sale to the highest bidder here.
Change Healthcare has not responded to the threat with any update to its status update page as yet.
As far as AlphV, aka BlackCat, goes, they did not re-brand as expected following the law enforcement takedown in December. They do seem to have just disappeared (exit-scammed) after getting a $22 million payment that may have been from Change Healthcare UHG.