Hackers have reportedly begun to sell patient data and business agreements they claim were stolen in the Change Healthcare cyberattack.
The RansomHub cybercriminal gang wrote on the dark web April 16 that it put information obtained in the hack of the UnitedHealth Group subsidiary up for sale, according to screenshots posted on X by cybersecurity researchers.
This development comes after the cybercriminals reportedly leaked contracts and patient data purportedly stolen in the cyberattack as proof of their haul April 15, and UnitedHealth Group already allegedly paid another ransomware gang $22 million — a claim the company has not confirmed.
"The information being published by RansomHub is pretty convincing, with screenshots of legal documents (trader partner agreements), bills for services to providers, Medicare claim information (which includes sensitive PII), payment information, and more," Sean McNee, PhD, vice president of research and data at DomainTools, told SC Media. "The variety of data being leaked indicates that the data dump was not limited to one or a few systems. Indeed, if this data and more becomes fully leaked, it could be devastating to the individuals affected."
RansomHub says it obtained information from several major payers in the hack, and the payers can contact the gang — likely to negotiate ransom payments — if they want to prevent the data from being leaked or sold, according to the screenshots.
"Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable," the hackers wrote, per the screenshots. "For most US individuals out there doubting us, we probably have your personal data."
Among the information RansomHub leaked includes "a hospital record for a 74-year-old woman in Tampa, Fla., and part of a database record related to U.S. military service members' healthcare," Wired reported April 16.
Change Healthcare, an arm of UnitedHealth Group's Optum, processes about 15 billion transactions annually, handling an estimated 1 in 3 patient records in the U.S. The massive hack disrupted claims processing at health systems and physician offices across the country.
"We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data," the company told Becker's after the purported leak April 15. "Our investigation remains active and ongoing."
Becker's reached out to Change Healthcare for comment on the alleged data sale.