Did Hackers Who Attacked Change Healthcare Collect $22 Million in Ransom?

Although students in MHA and healthcare MBA programs learn a vast assortment of managerial strategies, it’s unlikely that any of these programs would have taught them how to manage through the kind of catastrophic cyberattack that shut down Change Healthcare—and much of the U.S. healthcare industry—in February 2024. And as of mid-April, the crisis continues to unfold.

Change Healthcare is a subsidiary of UnitedHealth Group—a huge conglomerate ranked fifth among the Fortune 500—operates America’s largest financial interface connecting insurance companies with healthcare providers.

Change says that it processes about half of all the health insurance claims across the nation, roughly 15 billion claims amounting to about $1.5 billion annually. But now, Change’s hack has severely impacted hospital systems, medical groups, pharmacies, and millions of patients. And according to the Washington Post, officials like New York’s Senator Charles Schumer have characterized the breach as one of the most serious attacks on the healthcare industry in United States history.

The cyberattack has disconnected healthcare organizations from the systems that pay them after insurers approve claims, threatening some medical practices and providers that extensively rely on Change’s operations with temporary financial insolvency. Meanwhile, other providers also facing reimbursement delays are refusing to schedule non-critical elective procedures and clinic visits, while pharmacies unable to obtain reimbursements are refusing to fill prescriptions. Early in the crisis, some inpatients couldn’t even leave their hospitals because discharge pharmacies couldn’t provide their take-home medications.

On March 14, the Department of Health and Human Services’ Office for Civil Rights notified Change that it was launching an investigation into the company’s data security practices. That’s the federal agency responsible for enforcing the data privacy and protection rules required by HIPAA, the Health Insurance Portability and Accountability Act of 1996. But a looming federal investigation isn’t much comfort to all the patients, doctors, and organizations injured by the crisis.

Nine weeks before the attack, the Justice Department’s cybercrime unit bragged about shutting down the notorious operation known as BlackCat or AlphV, a ransomware syndicate based in Russia. That “shutdown” didn’t last long. Incredibly, as former National Security Agency analyst Jon DiMaggio with cybersecurity firm Analyst1 told CBS News on 60 Minutes in April 2024, international ransomware hacking is not considered a crime in Russia. Furthermore, the Russian government won’t prosecute its citizens who are ransomware criminals unless the target of the attack is an organization within Russia or one of the former Soviet republics.

This BlackCat/AlphV gang appears to be the same one responsible for the attack on Change Healthcare, in which they encrypted patient and company data files, and then demanded large sums of money to unlock them. Change then shut down most of its network to prevent the group from gaining further access to the firm’s compromised systems, but that closure also stopped healthcare providers from obtaining their insurance reimbursements.

Via posts on its dark web forum, the Russian gang claimed responsibility for the attack and alleged that it had indeed stolen Change’s sensitive patient information. Next, on February 29th, UnitedHealth confirmed that the attack was a ransomware incident perpetrated by BlackCat/AlphV.

Then, an alarming development emerged that’s reminiscent of the resolution to the ransomware attack that shut down the East Coast’s Colonial Gasoline pipeline in 2021. On March 4, Wired’s Andy Greenberg reported that one of the hackers’ partner organizations pointed out that AlphV had received what appears to be a large ransom payment.

A cryptocurrency address associated with AlphV received 350 Bitcoins in a single transaction on March 1, worth about $22 million. Two days later, an individual claiming to be an AlphV “affiliate” then claimed on a dark web forum known as RAMP that AlphV had cheated them out of their portion of Change’s ransom—and pointed to the transaction address on Bitcoin’s publicly visible blockchain.

Contacted by Wired, a Change spokesperson refused to comment about the ransom payment, and as we go to press in late April, the company still has never officially confirmed to any media outlet that the ransom transaction actually took place. But two cybersecurity firms, Recorded Future and TRM Labs both told the publication that they were able to connect the Bitcoin address with AlphV. TRM additionally said it could link that address to crypto ransom payments from two other AlphV victims in January.

If that cheating actually took place following the ransom payment, it would be known as an “exit scam.” According to The Register, ransomware payments are typically split between collaborating groups of thieves, although the ratios can vary slightly.

In general, these payments are often split according to an 80/20 ratio, with 80 percent allocated to the affiliate who actually conducted the attack and the remainder for the gang itself. One theory is that AlphV took all the money paid by Change and left the affiliate responsible for actually carrying out the attack with nothing.

Experts theorize that in such a scenario, the angry affiliate would have kept all or most of their stolen data. That affiliate would then attempt to monetize the data set through other means, such as by additional threats to sell the data if the ransom isn’t paid.

So far in response to the ransom payment, it doesn’t appear that the hackers have as yet decrypted any data they encrypted on Change’s servers, disposed of data they copied, or otherwise reversed any of their damage. Meanwhile, researcher Brett Callow with security firm Emsisoft told Wired, “If Change did pay, it’s problematic.”

Why? Callow says that paying ransom amounts to a dangerous precedent for the healthcare industry, since every ransom payment funds the hacker gang’s future attacks—plus encourages other criminals to attack similar healthcare services that care for vulnerable patients. He continued:

It highlights the profitability of attacks on the healthcare sector. Ransomware gangs are nothing if not predictable: If they find a particular sector to be lucrative, they’ll attack it over and over again, rinse and repeat.

Unfortunately, the “rinse and repeat” scenario that Callow predicted may have already taken place. On April 8, The Register reported that a second ransomware gang was allegedly also extorting Change Healthcare.

A group that calls itself RansomHub had claimed to have also attacked Change and added that it possessed four terabytes of the company’s personally identifiable information (PII). RansomHub claimed the data included medical records and payment information associated with patient groups that include American military personnel on active duty.

The gang was demanding that Change pay more in ransom before May 1 or it would sell the data to the “highest bidder.” A cryptic ransom note released online by the group said in part:

Change Healthcare and United Health you have one chance in protecting your clients data. The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.

In the event you fail to reach a deal the data will be up for sale to the highest bidder here.

In an email message to Wired, Change said, “There is no evidence of any new cyber incident at Change Healthcare.” Nevertheless, on April 12 the RansomHub gang sent Wired screenshots that appeared to be patient records.

They also sent a data sharing agreement between Change’s parent UnitedHealth Group and Emdeon, the firm that had acquired Change in 2014. After reviewing this evidence, Analyst1’s DiMaggio told the outlet that he believes RansomHub is “telling the truth and does have Change HealthCare’s data.”

Should RansomHub’s assertions turn out to be true, Change and UnitedHealth will face another difficult decision. They’ll have to decide under time pressure whether to remit yet another ransom payment that might prevent a second hacker gang from selling the company’s data.

Meanwhile, a minority view among cybersecurity experts is that even though AlphV and RansomHub aren’t linked through hard evidence, AlphV may simply have rebranded its identity as “RansomHub.” Even though RansomHub told Wired it isn’t affiliated with AlphV, it’s curious that AlphV hasn’t been heard from since it hit Change in one of its final attacks. Meanwhile, the security firm SOCRadar says that RansomHub first appeared in February at around the time of the initial Change attack.

But whether AlphV rebranded as RansomHub or the affiliate switched allegiances, the problem for Change is that the data set might still be in the possession of the criminals. Generally, in many ransomware deals, companies pay ransom, believing that the hackers will delete the data after they receive their payment. However, that’s not necessarily always an outcome, as Javvad Malik at security firm KnowBe4 explained to The Register:

The fact that Change Healthcare was seemingly targeted again, possibly by the same actors under a new alias or affiliates, highlights a significant issue in the ransomware ecosystem—the lack of “honor among thieves.”

While the initial payment of $22 million might have seemed like a resolution, it potentially opened the door for further extortion. It’s a stark reminder that paying a ransom not only fails to guarantee data safety or nondisclosure but might also paint the organization as a repeat target for future attacks.

On April 10, the American Medical Association released alarming new findings from a survey conducted between March 26 and April 3 that showed the impacts of the Change attack on physician practices across the nation. The results suggest that more than half of the smaller practices with ten or fewer doctors are struggling to stay afloat.

According to the results, unpaid claims resulted in 80 percent of the respondents’ reporting lost revenue. Moreover, 36 percent reported insurance claim payments that had been suspended, about a third reported that they had been unable to submit claims, and 22 percent weren’t able to verify eligibility for benefits.

What’s more alarming are some of the harsh effects on the doctors and their employees arising from those delayed and unpaid insurance claims. They resulted in 55 percent of the doctors using personal funds to cover their practice expenses, 31 percent unable to make payroll, and 44 percent unable to purchase supplies.

Only 25 percent of the respondents had received any financial assistance from UnitedHealth Group/Optum, and only 12 percent had received such support from the federal Centers for Medicare and Medicaid Services. Small practices with 10 or fewer physicians accounted for 78 percent of all survey respondents in this informal convenience sample of 1,400 practices.

“The disruption caused by this cyber-attack is causing tremendous financial strain,” said AMA President Jesse M. Ehrenfeld, MD, MPH in a statement. He concluded:

These survey data show, in stark terms, that practices will close because of this incident, and patients will lose access to their physicians. The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open.