April 15, 2024by Cybersixgill IQ

Change Healthcare Breach: Data in the Hands of a New Ransomware Group

Powered by cybersixgill IQ


The healthcare industry has once again been targeted by cybercriminals, with Change Healthcare falling victim to a second ransomware attack. This time, a new group called RansomHub has claimed responsibility for the breach, demanding a ransom payment in exchange for not selling the stolen data. The breach has put Change Healthcare, a subsidiary of UnitedHealth Group, in a difficult position as it tries to recover from the previous attack by ALPHV/BlackCat. This article provides an overview of the breach, its impact on the organization, and potential steps for remediation.

Overview of the Breach

RansomHub, the new ransomware group, has allegedly stolen approximately 4TB of sensitive data from Change Healthcare, as claimed earlier this week. The stolen information includes the personal and medical records of US military personnel, patients, financial information, and more. RansomHub has threatened to sell the data to the highest bidder if a ransom payment is not made within 12 days. The group claims that the data has not been leaked or shared anywhere, but this assertion cannot be independently verified.

There is speculation about whether RansomHub and ALPHV/BlackCat are part of the same ransomware group or if there is any connection between them. However, there is no confirmation at this time, and it is too early to tell. RansomHub claims to have gained access to the Change Healthcare data that ALPHV/BlackCat stole, but the exact relationship between the two groups is still unclear.

Impact on Change Healthcare

The breach has put Change Healthcare in a precarious position, as it has only recently recovered from the previous attack by ALPHV/BlackCat. The company is now faced with the difficult decision of whether to pay the ransom or not. The stolen data contains highly sensitive information, and the potential exposure of this data could have severe consequences for both the affected individuals and the reputation of Change Healthcare. Additionally, the breach has disrupted the organization's operations, causing financial losses and impacting its ability to provide healthcare support services.

Based on the provided context, here are some key points that other organizations should know in terms of protecting themselves against a similar breach:

  1. Assume Intrusion: Organizations should recognize and understand that attackers are likely to make their way into their environment. Adopting an "assume breach" mentality can help organizations focus on containing the impact of an intrusion and proactively prepare for attacks.

  2. Incident Response Plan: Developing an incident response plan is crucial. This plan should outline the steps to be taken in the event of a data breach, including notifying the necessary parties and mitigating the damage caused.

  3. Record Audit Trails: Keeping records of internal and external audits can help organizations identify areas that need improvement and track the effectiveness of their compliance processes.

  4. Dedicated Staff and Resources: Having dedicated and knowledgeable staff, as well as sufficient resources, is essential for a successful compliance program. Compliance responsibilities should not be added to an employee's existing workload.

  5. Address Human Vulnerabilities: Human error continues to be a significant vulnerability in cybersecurity efforts. Organizations should prioritize training and awareness programs to educate employees about potential risks and best practices for maintaining security.

  6. Multi-Factor Authentication: Implementing multi-factor authentication can help prevent account takeover attacks by requiring users to verify themselves through multiple factors, such as passwords, security tokens, or biometrics.

  7. Network Detection and Response: Having complete visibility across the entire enterprise is crucial for identifying and preventing breaches. Network detection and response tools can help detect and respond to threats that may be hiding within the network.

  8. Software Bill of Materials (SBOM): Organizations should consider requesting a software bill of materials from third-party vendors to assess and manage vulnerabilities. Early detection of vulnerable components can help mitigate or prevent incidents.

  9. Transparency and Timely Disclosure: Organizations should prioritize transparency and timely disclosure in the event of a breach. Delayed disclosure can erode trust and negatively impact the relationship between the organization and its users.

It's important to note that these points are general recommendations based on the provided context. Each organization should assess its specific needs and consult with cybersecurity professionals to develop a comprehensive security strategy.


The second ransomware attack on Change Healthcare by RansomHub has once again highlighted the vulnerabilities within the healthcare industry. The breach has exposed sensitive data, putting both patients and the organization at risk. Change Healthcare must take immediate steps to remediate the breach, enhance its cybersecurity measures, and restore its systems to ensure the protection of sensitive information. By ensuring the right methods and protocols are in place as outlined above, organizations can take steps to protect themselves from a similar attack.


This article was created using Cybersixgill IQ, our generative AI capability that supports teams with instant report writing, simplifies complex threat data and provides 24/7 assistance, transforming cybersecurity for every industry and every individual, at every level.

You may also like

A close-up, detailed, and vibrant image of a microscopic cell with numerous tentacle-like extensions, depicted in shades of pink and purple against a blurred blue background.

May 15, 2024

Black Basta's Devastating Attack on a US Hospital System: Lessons Learned and Protective Measures

Read more
Screen showing a malware alert

May 09, 2024

New 'Latrodectus' Malware Linked to Notorious 'IcedID' Developer: A Deep Dive into Targets, Potential Impact, and Remediation Steps

Read more
Two cybersecurity professionals looking at a laptop

May 01, 2024

State of the Underground 2024: Combating RisePro, Lumma, Vidar, and other top stealer malware

Read more