Extortion group threatens to sell Change Healthcare data | CyberScoop<\/title> <meta name=\"description\" content=\"The data reportedly includes personal information and health details for customers of a variety of companies linked to Change Healthcare.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/extortion-group-threatens-to-sell-change-healthcare-data\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Extortion group threatens to sell Change Healthcare data\"> <meta property=\"og:description\" content=\"The data reportedly includes personal information and health details for customers of a variety of companies linked to Change Healthcare.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/extortion-group-threatens-to-sell-change-healthcare-data\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-04-09T20:57:47+00:00\"> <meta property=\"article:modified_time\" content=\"2024-04-09T20:58:34+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712697896g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1712258582g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1711866546g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80028\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80028\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fextortion-group-threatens-to-sell-change-healthcare-data%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fextortion-group-threatens-to-sell-change-healthcare-data%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80028 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/extortion-group-threatens-to-sell-change-healthcare-data\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.99251497006\">\n<div class=\"single-article__header-content\" readability=\"30.343220338983\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> The data reportedly includes personal information and health details for customers of a variety of companies linked to the payment processor. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Hacker using laptop. Lots of digits on the computer screen. (seksan Mongkhonkhamsao\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"44.348717948718\"><body readability=\"89.358456707044\"><\/p>\n<p>When the payment processor Change Healthcare was breached in a ransomware attack last month as part of an incident that crippled parts of the U.S. health care system, the group that claimed responsibility said it had stolen some 6 terabytes of data.<\/p>\n<p>Now, a data extortion site is giving Change Healthcare until April 20 to buy the majority of that data before it\u2019s sold to the highest bidder.<\/p>\n<p>The operators of RansomHub, a site on the dark web used to auction off previously stolen data or conduct new ransomware attacks, posted a notice on Sunday saying they were in possession of \u201cover 4 TB of highly selective data\u201d that came from the <a href=\"https:\/\/cyberscoop.com\/ransomware-alphv-healthcare-pharmacies\/\">Feb. 21 attack<\/a> on Change Healthcare.<\/p>\n<p>The ransomware group known as ALPHV or BlackCat claimed responsibility for the attack on Change Healthcare. The attack appears to have been carried out by an ALPHV associate known as \u201cnotchy,\u201d with the understanding that the two entities would split the proceeds of any ransom paid. But after Change Healthcare\u2019s parent company apparently paid a $22 million ransom, notchy claimed that <a href=\"https:\/\/cyberscoop.com\/ransomware-group-behind-change-healthcare-attack-goes-dark\/\">ALPHV took that money and disappeared<\/a>, scamming notchy out of their share.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><a href=\"https:\/\/cyberscoop.com\/alphv-steps-up-laundering-of-change-healthcare-ransom-payments\/\">CyberScoop reported<\/a> last week that researchers with the blockchain intelligence firm TRM Labs observed the $22 million being moved around over the course of March and into early April, showing signs that the money was being laundered. Researchers note that 4 terabytes of data that notchy claimed to have been in possession of remains an untapped asset after the group was apparently stiffed of its share of the ransom.<\/p>\n<p>Sunday\u2019s message posted to RansomHub addressed Change Healthcare and UnitedHealth Group, its parent company, directly. \u201cYou have one chance in protecting your clients data,\u201d the message reads, noting that the data has not yet been posted or shared anywhere else. \u201cIn the event you fail to reach a deal the data will be up for sale to the highest bidder here.\u201d<\/p>\n<p>A representative for UnitedHealth Group did not respond to a question about the threat.<\/p>\n<p>When asked for proof that the site is actually in possession of Change Healthcare data, a representative for RansomHub told CyberScoop to \u201ckeep [paying] attention to our blog.\u201d That representative did not address whether the site had yet been in contact with UnitedHealth Group.<\/p>\n<p>ALPHV claimed to have 6 terabytes of Change Healthcare data in a message posted briefly to its website in the days after the Change Healthcare attack. Notchy never claimed to have anything other than 4 terabytes. The difference between the two figures has never been explained.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>A user going by the name \u201ckoley\u201d launched RansomHub in early February on the RAMP cybercrime forum, researchers with cybersecurity firm <a href=\"https:\/\/www.kelacyber.com\/\">KELA<\/a> told CyberScoop on Tuesday. The site claimed to be \u201cthe next generation of ransomware\u201d and offered affiliates a fixed 10% split of proceeds.<\/p>\n<p>The site, which has claimed 31 victims on its blog, not including Change Healthcare, also included rules such as prohibiting attacks on the Russian-aligned Commonwealth of Independent States countries, as well as Cuba, North Korea, China and Romania. Other rules included no repeated attacks on the same target, that affiliates must fulfill the terms of agreements made with victims and a prohibition on attacks against nonprofit organizations.<\/p>\n<p>\u201cOur team members are from different countries and we are not interested in anything else, we are only interested in dollars,\u201d a message posted to the group\u2019s website reads.<\/p>\n<p>In a conversation with notchy on the RAMP forum last month, Koley speculated that perhaps ALPHV was \u201cplanning to end with fraud\u201d after getting \u201chacked\u201d by the FBI in December 2023, according to a copy of the exchange captured by KELA. The FBI conducted <a href=\"https:\/\/cyberscoop.com\/fbi-seizes-alphv-leak-website-hours-later-ransomware-gang-claims-it-unseized-it\/\">a partial disruption of ALPHV\u2019s site<\/a> in December, but ALPHV managed to pull some of it back online and carry on operations.<\/p>\n<p>\u201cSave your evidence,\u201d koley said, adding that ALPHV\u2019s decision to take the money and run would hurt his reputation in the criminal underground. \u201cIf he does not pay you, I believe many people will leave him. He will lost more than 22M $. If he still has the dignity of a man he should return it to you at least or give you part of it.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In <a href=\"https:\/\/twitter.com\/vxunderground\/status\/1777374367854297433\">a message Monday<\/a> to VX-Underground, an online repository of malware and analysis, the RansomHub representative said that \u201cmany\u201d ALPHV affiliates \u201care actively joining us.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2285067873303\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/extortion-group-threatens-to-sell-change-healthcare-data-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/extortion-group-threatens-to-sell-change-healthcare-data\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Extortion group threatens to sell Change Healthcare data | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[950,1603,282,323,1823,46],"tags":[955,1605,286,327,1824,54],"class_list":["post-2979","post","type-post","status-publish","format-standard","hentry","category-alphv","category-change-healthcare","category-cybercrime","category-extortion","category-ransomhub","category-ransomware","tag-alphv","tag-change-healthcare","tag-cybercrime","tag-extortion","tag-ransomhub","tag-ransomware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/alphv\/\" rel=\"category tag\">ALPHV<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/change-healthcare\/\" rel=\"category tag\">Change Healthcare<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extortion\/\" rel=\"category tag\">extortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomhub\/\" rel=\"category tag\">RansomHub<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a>","tag_info":"ransomware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2979","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2979"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2979\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2979"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2979,"date":"2024-04-09T15:57:47","date_gmt":"2024-04-09T20:57:47","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80028"},"modified":"2024-04-09T15:57:47","modified_gmt":"2024-04-09T20:57:47","slug":"extortion-group-threatens-to-sell-change-healthcare-data","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/09\/extortion-group-threatens-to-sell-change-healthcare-data\/","title":{"rendered":"Extortion group threatens to sell Change Healthcare data"},"content":{"rendered":"