Change Healthcare hit with second ransomware attack of 2024

Ransomware concept image showing digitized padlock pictured on a laptop screen on red background
(Image credit: Getty Images)

Change Healthcare has fallen victim to another significant cyber attack just weeks after a major ransomware attack took down its systems and caused delays to prescription services across the US.

Its second cyber incident of 2024, the company has had a rocky start to the year after suffering a major breach orchestrated by notorious threat collective ALPHV/BlackCat

In this latest incident, a relatively new threat actor known as RansomHub claims to have 4TB of sensitive data stolen from the organization's network, and has threatened to publish the information unless they receive a ransom payment.

The stolen information includes the PII of active US service members and other patients, medical records, insurance records, payment information, and over 3,000 source code files for Change Healthcare solutions.

In a statement posted to the group’s dedicated leak site, RansomHub provided a list of Change Healthcare partners affected by the attack, including Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, MetLife, Health Net, and more.

A relatively new entrant to the ransomware as a service (RaaS) industry, RansomHub first came across security analysts’ radars in February 2024 after it published details of its first victim, the Brazilian business management company YKP, on its leak site.

Since then the group claims to have carried out 17 successful cyber attacks, although their leak site currently only lists 14 victims.

RansomHub warned that Change Healthcare must comply with their demands and pay the ransom within 12 days or the data will be made available for sale to the highest bidder.

Change Healthcare caught in the middle of an adversarial ransomware industry 

It has been a difficult start to the year for the American healthcare company, with reports claiming it paid the initial ransom demanded by ALPHV in February, only to be extorted once more by a separate hacking group.

Researchers monitoring the crypto wallets of the ALHPV group pointed to a $22 million Bitcoin blockchain transaction as evidence of Change Healthcare paying the initial ransom, something Change Healthcare has not officially confirmed.

If true, this would constitute one of the largest ransom payments ever recorded in the US, and would mean the healthcare organization faces a difficult decision on whether to give in and pay up for a second time.

In a communication from RansomHub to Change Healthcare, the group claims the stolen data is the same as that exfiltrated during the initial cyber attack by ALPHV.

Some experts have suggested the group is just a rebranded version of the ALPHV group, in an attempt to intimidate the healthcare company into paying up for a second time.

According to RansomHub, ALPHV performed an ‘exit scam’, meaning the group absconded with the funds before compensating all of the affiliates involved in the attack.

RansomHub’s statement alleges the affiliates involved in the original ALPHV attack did not receive their share of the ransom, usually 80% of the total fee, and the resulting discord among unpaid affiliates led to the group fracturing.

The group told threat intelligence project vx-underground that after ALPHV scammed its affiliates out of the $22 million ransom extracted from Change Healthcare, they left the group and are now “actively joining” RansomHub.

The statement claims RansomHub now has control of data stolen in the February breach and it wants payment too. This suggests those who took part in the original attack are also involved in this latest development, and were able to share the data with the 

Nick Tausek, lead security automation architect at security specialist Swimlane, said that regardless of the identity of the culprits, there will be serious consequences to the attack, with critical services disrupted.

“While it remains uncertain whether this latest attack stems from the same threat actors using a new alias or involves a new group entirely, the February incident underscores the intricate web of interdependence in the healthcare system”, he explained.

“Its repercussions extend beyond mere inconvenience, impacting vital services such as pharmacy operations, eligibility checks, and claims processing, all essential for patient care. The tangible consequences on human health serve as a stark reminder of the urgent need for robust cybersecurity measures across the industry.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.