Stolen Change Healthcare data could contain information on \u2018a substantial portion\u2019 of Americans | CyberScoop<\/title> <meta name=\"description\" content=\"The revelations from the UnitedHealth Group subsidiary come as the company acknowledges paying a ransom in the case.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Stolen Change Healthcare data could contain information on \u2018a substantial portion\u2019 of Americans\"> <meta property=\"og:description\" content=\"The revelations from the UnitedHealth Group subsidiary come as the company acknowledges paying a ransom in the case.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-04-23T17:54:29+00:00\"> <meta property=\"article:modified_time\" content=\"2024-04-23T17:54:30+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712700738g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1713212140g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1712858261g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80227\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80227\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fstolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fstolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80227 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.921630094044\">\n<div class=\"single-article__header-content\" readability=\"30.541176470588\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> The revelations from the UnitedHealth Group subsidiary come as the company acknowledges paying a ransom in the case. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Stock photo of patient medical files (David Sacks\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"33.659820653746\"><body readability=\"68.041253101737\"><\/p>\n<p>Sensitive and personal health information related to \u201ca substantial portion of people in America\u201d could be among the data stolen by cybercriminals who attacked Change Healthcare in February, the company said in a statement Monday.<\/p>\n<p>Nearly two dozen screenshots purportedly from roughly 4 terabytes of Change Healthcare data were <a href=\"https:\/\/cyberscoop.com\/extortion-group-threatens-to-sell-change-healthcare-data\/\">posted April 7 to the website operated by RansomHub<\/a>, a website whose operators either auction off previously hacked data or conduct attacks themselves. RansomHub gave Change Healthcare until April 20 to buy the data before it was to be sold to the highest bidder.<\/p>\n<p>The screenshots, viewed by CyberScoop on April 15, included alleged partner agreements between Change Healthcare and other companies, invoices, Medicare claims data, individual patient records, an audit and other material. <\/p>\n<p>The material and RansomHub listing for Change Healthcare has been pulled down entirely, although it\u2019s not clear why. A RansomHub representative did not respond to a request for comment Tuesday. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The <a href=\"https:\/\/www.unitedhealthgroup.com\/newsroom\/2024\/2024-04-22-uhg-updates-on-change-healthcare-cyberattack.html\">company\u2019s statement<\/a> came the same day Change Healthcare acknowledged having paid a ransom shortly after the initial attack in February. \u201cA ransom was paid as part of the company\u2019s commitment to do all it could to protect patient data from disclosure,\u201d a company spokesperson told CyberScoop late Monday.<\/p>\n<p>The spokesperson did not answer questions about whether the company engaged with RansomHub. The revelations come a week before the chief executive of UnitedHealth Group, the parent company of Change Healthcare, is <a href=\"https:\/\/energycommerce.house.gov\/posts\/chairs-rodgers-and-griffith-announce-united-health-ceo-to-testify-at-oversight-hearing-on-change-healthcare-attack\">scheduled to testify<\/a> before a congressional committee. <\/p>\n<p>Lawmakers have been <a href=\"https:\/\/cyberscoop.com\/change-healthcare-unitedhealth-ransomware-hearing\/\">intensely critical<\/a> of Change Healthcare\u2019s handling of personal data and whether, more broadly, UnitedHealth Group\u2019s dominant position in the U.S. health care industry represents a systemic threat. UnitedHealth Group, which <a href=\"https:\/\/www.businesswire.com\/news\/home\/20240416450656\/en\/UnitedHealth-Group-Reports-First-Quarter-2024-Results\">reported nearly $100 billion<\/a> in revenue in the first quarter of 2024, had previously reported that the hack contributed $872 million in losses, a total that could exceed $1 billion. <\/p>\n<p>Earlier Monday, <a href=\"https:\/\/www.wsj.com\/articles\/change-healthcare-hackers-broke-in-nine-days-before-ransomware-attack-7119fdc6\">the Wall Street Journal reported<\/a> that attackers gained access to Change Healthcare\u2019s networks on Feb. 12, more than a week before the attack became public Feb. 21, using compromised credentials on an application that allows staff to remotely access systems. <\/p>\n<p>A message briefly posted to the ALPHV ransomware website claimed responsibility for the attack. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The administrators of that site reportedly collected a $22 million ransom payment on March 1 before posting a phony law enforcement takedown notice and <a href=\"https:\/\/cyberscoop.com\/ransomware-group-behind-change-healthcare-attack-goes-dark\/\">shuttering the website<\/a>. That money moved around to various cryptocurrency accounts over the course of March, showing signs that the people controlling those accounts were attempting to obscure the final destination of the money, <a href=\"https:\/\/cyberscoop.com\/alphv-steps-up-laundering-of-change-healthcare-ransom-payments\/\">CyberScoop reported April 5<\/a>.<\/p>\n<p>Meanwhile, a persona calling itself \u201cnotchy\u201d that claimed to have been the one who actually carried out the attack using ALPHV\u2019s platform, said shortly after the site shuttered that the ALPHV admins had withheld their portion of the ransom payment. <\/p>\n<p>Notchy claimed to have 4 terabytes of data, but it wasn\u2019t clear whether notchy had taken that data to RansomHub. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.176724137931\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stolen Change Healthcare data could contain information on \u2018a substantial<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[950,1603,282,440,1921,1823,46],"tags":[955,1605,286,444,1922,1824,54],"class_list":["post-3224","post","type-post","status-publish","format-standard","hentry","category-alphv","category-change-healthcare","category-cybercrime","category-data-breaches","category-notchy","category-ransomhub","category-ransomware","tag-alphv","tag-change-healthcare","tag-cybercrime","tag-data-breaches","tag-notchy","tag-ransomhub","tag-ransomware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/alphv\/\" rel=\"category tag\">ALPHV<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/change-healthcare\/\" rel=\"category tag\">Change Healthcare<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breaches\/\" rel=\"category tag\">data breaches<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/notchy\/\" rel=\"category tag\">notchy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomhub\/\" rel=\"category tag\">RansomHub<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a>","tag_info":"ransomware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3224"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3224\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":3224,"date":"2024-04-23T12:54:29","date_gmt":"2024-04-23T17:54:29","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80227"},"modified":"2024-04-23T12:54:29","modified_gmt":"2024-04-23T17:54:29","slug":"stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/23\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans\/","title":{"rendered":"Stolen Change Healthcare data could contain information on \u2018a substantial portion\u2019 of Americans"},"content":{"rendered":"