Change Healthcare Faces New Cybersecurity Crisis as Hackers Claim to Sell Stolen Data
RansomHub Gang Threatens to Sell Sensitive Health Information
Change Healthcare, a subsidiary of UnitedHealth Group, is grappling with a new cybersecurity crisis after the RansomHub gang claimed to be selling stolen data from the company. The gang boasted about possessing personal information of most US individuals, including medical and dental records, payment claims, insurance details, and sensitive data like Social Security numbers and email addresses.
“For most US individuals out there doubting us, we probably have your personal data,” the RansomHub gang said in an announcement seen by WIRED.
Fallout from February Cyberattack Continues
The alleged theft and sale of sensitive health care data is a significant development following the February cyberattack on Change Healthcare by the BlackCat or AlphV ransomware gang. The attack disrupted the company’s claims-payment operations, causing a crisis in the US health care system as hospitals struggled to maintain operations without regular funding.
Change Healthcare’s Critical Role in the Health Care System
As a vital intermediary between insurers and health care providers, Change Healthcare facilitates payments and collects sensitive patient information related to medical procedures. The wide variety of data allegedly being sold by RansomHub underscores the company’s central role in the health care system.
RansomHub’s Tactics and Targeted Companies
RansomHub stated that it would allow individual insurance companies that worked with Change Healthcare to pay ransoms to prevent the sale of their records. The gang specifically mentioned selling data belonging to MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.
Mounting Losses and Regulatory Pressure
Change Healthcare has faced significant losses since the ransomware attack, reporting $872 million in expenses related to the incident as of March 31. The company is also under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it’s taking to prevent future attacks.
The House Energy and Commerce Committee held a hearing on the health sector’s cyber posture, with key lawmakers expressing disappointment that UnitedHealth Group declined to send an executive to testify. Additionally, the Department of Health and Human Services is investigating whether Change Healthcare’s failure to prevent the data breach violated federal data-security rules.
As the fallout from the cyberattack continues, Change Healthcare faces a challenging road ahead in addressing the consequences of the data breach and rebuilding trust with its partners and the public.
2 Comments
Well, looks like Change Healthcare should’ve changed their security measures first!
So, Change Healthcare is the latest cyber victim – what’s new in the digital world?