Change Healthcare data reportedly listed for sale — then delisted

UPDATED: April 23 at 1 p.m.

About a week ago, cybersecurity experts identified posts from the criminal group RansomHub that suggested the data from the Change Healthcare hack was up for sale.

Those listings have since been pulled, according to a twitter post from Brett Callow, a threat analyst at Emsisoft. It's unclear at present what led the group to suspend the sale, as they were seeking an additional ransomware payout from Change's parent company UnitedHealth Group.

The healthcare giant did confirm on Monday that it had paid a ransom to the hackers that breached Change's systems in Februrary, according to a report from Wired. Analysts had identified payment logs that pointed to a payout valued at about $22 million in Bitcoin to the BlackCat hacking group.

However, the core administration of the group appears to have taken the money and run, taking the share that would have been paid to the affiliate that conducted the hacking. That affiliate still had access to the extracted data, and seemingly joined up with RansomHub in an attempt to extort UnitedHealth a second time.

UPDATED: April 16 at 4:12 p.m.

A ransomware gang has published what it says is a massive tranche of patient data obtained in the cyberattack on Change Healthcare.

The cybercriminal group RansomHub posted information on its dark web site that contain patient information including insurance records, billing files and other medical details, according to a report from Tech Crunch. The news outlet said it has viewed some of the data, and it also includes contracts between Change Healthcare and its clients.

Though UnitedHealth Group has not confirmed that a payment was made, cybersecurity experts identified payment logs that suggest a $22 million ransom was paid to the hackers. A Russia-based cybergang operating as ALPHV or BlackCat claimed responsibility for the hacking.

However, the group then disappeared. It operates ransomware-as-a-service, meaning its software is provided to affiliates who then to do the actual hacking. It appeared that the core group took the money paid and ran.

Earlier this month, RansomHub claimed that it now had access to the data. Should the leaked data prove to be genuine, that means it likely absorbed the affiliate that was stiffed by BlackCat. RansomHub said it will sell off the data should UnitedHealth fail to pay a ransom for it, Tech Crunch reported.

A UnitedHealth spokesperson told the outlet that there's no evidence of any further hacking.

UPDATED: April 8 at 12:34 p.m.

After the hackers responsible for the cyberattack on Change Healthcare took the ransom and ran in a reported exit scam, cybersecurity experts have found a new post that is seeking a payout from UnitedHealth Group to recover the data.

A post from RansomHub claims to have four terabytes of data stolen from Change, according to analyst Dominic Alvieri. The listing alleges that the administration of BlackCat, or ALPHV, stole a $22 million ransom payment made to recover the data.

Neither UnitedHealth nor Optum have confirmed that the payment was made, but researchers have identified payment logs that suggest the money changed hands. 

"ALPHV stole the ransom payment...that Change Healthcare and United Health payed [sic] in order to restore their systems and prevent the data leak," according to the post. "HOWEVER we have the data and not ALPHV."

Alvieri posits in a LinkedIn post that either RansomHub acquired the ALPHV affiliate who conducted the actual hacking, or that this is an "entry scam" in an attempt to extort UnitedHealth for additional cash. As ALPHV operates as a ransomware-as-a-service (RaaS) entity, they make the software available to affiliates who do the actual hacking. Each then receives a cut of any ransom payouts.

The post claims that the large tranche of data includes medical records, payment information, personal details such as Social Security numbers and source code files for Change Healthcare's platforms. It also says that impacted parties include Medicare, CVS Health, MetLife and many other insurance companies.

Change Healthcare is currently in the process of analyzing the data that was impacted, and determining who may need to be notified that their information was accessed. Experts say this could be a messy process.

UPDATED: March 29 at 2:10 p.m.

The State Department has issued a reward for information that could help identify or locate people working with BlackCat or ALPHV, the cybercriminal gang behind the attack on Change Healthcare's systems.

The agency said it will award up to $10 million for details that lead "to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act."

BlackCat operates as a ransomware-as-a-service (RaaS) organization, in which its key members develop the ransomware software that is then deployed by affiliates. The core leadership and the affiliates then split any ransom paid out in a cyberattack.

The department said in its announcement that BlackCat's ransomware was first used in November 2021.

"The ALPHV BlackCat ransomware-as-a-service group compromised computer networks of critical infrastructure sectors in the United States and worldwide, deploying ransomware on the targeted systems, disabling security features within the victim’s network, stealing sensitive confidential information, demanding payment to restore access, and threatening to publicize the stolen data if victims do not pay a ransom," the State Department said.

UPDATED: March 24 at 1:15 p.m.

In its latest update on the response to the cyberattack on Change Healthcare, UnitedHealth Group said on Friday that its largest clearinghouse, called Relay Exchange, will be back online by the end of the weekend and the company will begin processing $14 billion in medical claims.

UnitedHealth Group also posted an estimated timeline for restoring its systems from the February 21 cyberattack.

The ransomware attack led to widespread reimbursement and pharmacy disruptions for hospitals, health systems and medical practices. The company says it has advanced $2.5 billion to affected providers.

The company said the target dates are projections based on available information and may change as it learns more. "Products will go through a phased reconnection process, including launch, testing and scaled reconnection. If a product is not listed in this schedule, that does not mean that product is more than three weeks away. It means that we do not yet have line of sight to the week that we expect it to be restored and will provide updated information as those timelines become clear," the company said its update posted online.

On March 7, UnitedHealth restored 99% of Change Healthcare's pharmacy network services.

A week later, on March 15, Change Healthcare’s electronic payments platform was restored and is now proceeding with payer implementations, the company said.

Assurance, the company's medical claims preparation software, went back online on March 18. "Providers continue with the testing and re-connection phases and have begun working through their respective backlogs of claim files," the company said.

 As of March 22, claims with more than $14 billion in charges have been staged for processing through the Assurance software. 

"We expect Relay Exchange, our largest clearinghouse, to be back online on the weekend of March 23, along with appropriate third-party documentation," the company said in its update.

This coming week, UnitedHealth plans to restore Change Healthcare's eligibility processing capabilities along with benefits verification and authorization determination​ services, pharmacy electronic claims for medical​ through MedRx and its reimbursement manager.

"Once a critical mass of payer connectivity has been established, we will turn on claims processing for Assurance customers. That process will occur automatically for those Assurance customers when we trigger restart," UnitedHealth said in its update. "Following activation of Assurance software customers, we will turn our attention to the reactivation of all other Relay Exchange claims submitters. Throughout the reactivation of these provider customer groups, we will continue to add additional payer connectivity to close any remaining gaps. We will start immediately with establishing payer connectivity so claims entering the clearinghouse have a destination."

The company is targeting the week of April 1 to restore its clinical exchange service, payer connectivity and hosted payer services. 

The following week, April 8, the company plans to restore its Risk Manager and Health QX products.

UPDATED: March 22 at 3 p.m.

In response to the Change Healthcare cyberattack, U.S. Sen. Mark Warner, D-Virginia, introduced legislation Friday that provides financial incentives to healthcare providers to "step up their game" for stronger cybersecurity.

The Health Care Cybersecurity Improvement Act of 2024 proposes to allow for advance and accelerated payments to healthcare providers in the event of a cyber incident, as long as healthcare providers and their vendors meet minimum cybersecurity standards. 

“I’ve been sounding the alarm about cybersecurity in the healthcare sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” said Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, in a statement. “The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

In rare situations, Medicare Part A providers, such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities, and Part B suppliers, including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services, can face cash flow challenges due to specified circumstances beyond their control, for example, the COVID-19 pandemic.

Since the 1980s, the Centers for Medicare & Medicaid Services (CMS) has provided temporary financial relief to participants in these programs through Accelerated and Advance Payment (AAP) programs, during which these providers and suppliers receive advance payments from the federal government that are later recovered by withholding payment for subsequent claims.

The Health Care Cybersecurity Improvement Act of 2024 would modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program by requiring the HHS Secretary to determine if the need for payments results from a cyber incident, and if it does, healthcare provider would have t minimum cybersecurity standards, as determined by the Secretary, to be eligible for the payments.

If a provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards, as determined by the Secretary, for the provider to receive the payments, according to the proposed legislation.

These provisions would go into effect two years from the date of enactment.

UPDATED: March 20 at 12:54 p.m.

On the heels of proposed class action lawsuits from patients, providers are also filing legal challenges against UnitedHealth Group in the wake of the cyberattack on Change Healthcare.

Several lawsuits have cropped up across the country, according to media reports. California-based Gibbs Law Group filed a proposed class action (PDF) naming both UHG and Change on behalf of Bay Area Therapy Group on Monday, alleging that the healthcare giant was negligent in its cybersecurity protocols, which led to massive financial disruption for providers.

"Defendants' negligence, failures and omissions have catastrophically harmed hard-working medical providers around the country, forcing many to the edge of bankruptcy and delaying or denying vital medical treatments needed by patients around the country," according to the lawsuit.

The plaintiffs allege that the cyberattack suggest violations of California's Unfair Competition Law.

Similarly, Mississippi-based Advanced Obstetrics & Gynecology PC filed suit on March 14, saying that the financial struggles and payment delays could "bankrupt hundreds if not thousands of care providers, if it hasn't done so already," according to a report in

Multiple proposed class actions also represent patients who say they have been financially harmed by the cyberattack, and express concern about the potential exposure of their personal data.

UPDATED: March 18 at 12:34 p.m.

In its latest update on the response to the cyberattack on Change Healthcare, UnitedHealth Group said that it will begin today to release medical claims preparation software, a move it says is a critical step in restoring services.

The software will be rolled out to thousands of customers in the next several days, according to the announcement. UHG said that it intends to have third-party attestations available before services are fully online. 

“We continue to make significant progress in restoring the services impacted by this cyberattack,” said Andrew Witty, CEO of UnitedHealth Group, in the press release. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”

Change Healthcare's electronic payments platform was brought back online as of March 15, and UHG is now "proceeding with payer implementations."

UnitedHealth added that it has advanced more than $2 billion in payments so far through its relief initiatives in the wake of the cyberattack. The insurer has also suspended prior authorizations for outpatient care, and is reviewing similar steps for inpatient admissions in Medicare Advantage.

To assist providers in connecting with its funding assistance programs, Optum has posted a new how-to video that explains the process.

UPDATED: March 14 at 12:09 p.m.

Change Healthcare's Pharmacy Network is officially back online, according to the latest update from UnitedHealth Group.

The company said Wednesday that all of its major pharmacy and payment systems are up again and "99% of pre-incident claim volume is flowing." The cyberattack was first announced on Feb. 21, and has caused major disruption in claims processing nationwide over the past three weeks.

"While these actions represent positive momentum, our teams are still working to address a subset of pharmacies that are still offline, disruption for infusion pharmacies and challenges for some Medicaid fee-for-service customers," UnitedHealth Group said.

In addition, the company offered an update on the status of its investigation alongside Mandiant and Palo Alto Networks to identify the origins of the breach. While that investigation remains ongoing, UHG provided an interim report on where things stand.

"Through this analysis, we have identified the source of the intrusion and, with high confidence, have established a safe restore point," the company said. "This point allows us to move forward safely and securely in restoring our data and systems."

UPDATED: March 13 at 4:11 p.m.

The Office for Civil Rights (OCR) announced Wednesday it is investigating Change Healthcare, a unit of UnitedHealth Group, following the cybersecurity incident in February.

"Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident," OCR Director Melanie Fontes Rainer said in a letter (PDF). "OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules."

Providers and plans that have partnered with Change are not prioritized as part of this investigation, though the office reminded those parties to abide by business associate agreements and breach notifications to the Department of Health and Human Services.

"OCR encourages all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected," said Rainer. The agency enforces patient privacy and breach rules, dictating how providers, plans and clearinghouses must protect sensitive information.

The investigation adds to UnitedHealth's troubles. In February, it was reported the Biden administration was launching an antitrust probe into the insurer's business dealings and provider acquisitions.

UPDATED: March 12 at 1:31 p.m.

Federal officials applied even more pressure on UnitedHealth Group and other insurers at a meeting Tuesday, according to a report from The Washington Post.

Andrew Witty, CEO of UHG, was in attendance, according to the article, as were multiple provider representatives. Department of Health and Human Services (HHS) Secretary Xavier Becerra, White House domestic policy chief Neera Tanden and other officials urged UnitedHealth and other payers to make additional funds available for cash-strapped providers, multiple sources who attended the meeting told the outlet.

Providers in attendance were able to tell Witty and other industry leaders directly about the struggles they were facing with payments as disruption from the cyberattack on Change Healthcare stretches into its third week.

The White House confirmed to the Post that the meeting occurred but declined to comment further.

The report echoes a letter posted over the weekend by HHS that pushes payers to do more to support providers who are struggling to make ends meet amid the ongoing fallout from the hack. The agency urged UnitedHealth Group to step up and "meet the moment" with its response to the incident.

The insurer has launched a landing page with details on its funding assistance and other programs established following the cyberattack.

UPDATED: March 7 at 9:30 p.m.

UnitedHealth Group late Thursday detailed a timeline for restoring Change Healthcare's systems, which have been down for more than two weeks following the cyberattack.

The company noted that electronic prescribing services were previously restored, and that claim submission and payment transmission services were restored as of Thursday. It added that it had taken steps to ensure patients could access prescriptions in the meantime, such as having Optum Rx pharmacies send out the medications based on the date.

Change's electronic payment functionality will be back online March 15, UHG said, and it expects to begin testing connectivity to claims network and software beginning March 18. It expects to restore service that week.

UnitedHealth directed its clients to tap into workarounds that it has set up in the meantime, including an iEDI claim submission system.

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO of UnitedHealth Group, in the press release. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”

In addition, UnitedHealth said it will offer additional funding for providers under its Temporary Funding Assistance Program, which Optum launched on March 1. Providers are asked to complete a one-time registration to access the funding, and it will cover the difference between their historical payment levels and payments received following the cyberattack.

"Advances will not need to be repaid until claims flows have fully resumed," UHG said.

As UnitedHealthcare cannot have a full picture of the cash flow for every provider it contracts with, the company is asking its peers to take similar steps while the disruptions continue. 

UnitedHealth added that it is taking steps to suspend prior authorization in Medicare Advantage plans for most outpatient care, aside from cosmetic procedures, Part B step therapy and durable medical equipment. It is also pausing utilization reviews for inpatient admissions for MA members.

It will also press pause on drug formulary exemption review in Part D, according to the announcement. These steps will remain in place until March 31, and the insurer said it will partner with states who wish to take similar steps in Medicaid plans. 

UPDATED: March 6 at 4:30 p.m.

Given the broad impact of disruption following the cyberattack on Change Healthcare, which is now reaching its second week, it shouldn't come as a surprise that lawsuits have begun to crop up in response.

Multiple suits have been filed in Minnesota as well as in Tennesee, with patients seeking a potential class action over the company's failure to protect their data. In one such suit, filed Tuesday in Minnesota federal court, a patient alleges that as of March 5 they had not been notified directly of the breach or as to the status of their own personal information.

The patient said that if they were aware that their provider's partner in Change had not established the security systems necessary to protect their data, they "would have obtained medical services elsewhere."

In another Minnesota suit, a patient says that the breach prevented them from fullfilling their prescriptions in a timely manner.

Law firms are also exploring a potential class action. Gibbs Law Group, based on Oakland, California, posted on its site that the disruption caused by the cyberattack has led to patients paying out-of-pocket for prescriptions or being forced to delay their medication refills.

The firm is seeking input from patients who may have been put in this situation.

"Gibbs Law Group seeks money back for patients who were unexpectedly forced to pay for expensive medications due to this cyberattack," the firm wrote on its website.

UnitedHealth Group has not acknowledged the legal fallout as of it yet on its ongoing update page. The company added a series of rolling updates for its response across multiple segments of healthcare, as well as a frequently asked questions section that does touch on the potential exposure of patient information.

"Our privacy office and security information teams are actively engaged and working to understand the impact to members, patients and customers," the company said.

UPDATED: Feb. 29 at 11:28 a.m.

In its latest update on the ongoing cybersecurity incident at Change Healthcare, Optum confirmed that the attack was perpetrated by a cybercrime group called BlackCat or ALPHV.

In the post, the UnitedHealth Group subsidiary said that it's working alongside law enforcement as well as the third-party organizations Mandiant and Palo Alto Network to address the attack, which continues to cause disruption across the industry.

Optum is "actively working to understand the impact to members, patients and customers," the company said. It is deploying "multiple workarounds" to ensure people can access medications and other services while the incident continues.

"We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action," Optum said.

The Federal Bureau of Investigation, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency issued an updated joint advisory this week to the healthcare industry highlighting warning signs that they may have been compromised by a BlackCat ransomware actor and actions to take to mitigate ransomware attacks.

The agencies noted in the advisory that the healthcare sector has been one of the most commonly-targeted by this group among the 70 leaks it's conducted since December. The ALPHV/BlackCat administrator issued a post in early December "encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023," according to the advisory.

UPDATED: Feb. 28 at 7:29 p.m.

The hacking group believed to be behind the attack on Change Healthcare posted a statement saying they stole "millions" of records in the breach, before quickly deleting the post, according to a report from Reuters.

The group known as "Blackcat" and "ALPHV" was also behind cyberattacks on MGM and Caesars that roiled the hotel and casino industry last year. In the now-deleted statement, the hackers said that it had accessed eight terabytes of UnitedHealth Group's data, including from Medicare, Tricare and companies like CVS Health, Reuters reported.

Reuters said that it is unable to verify if the claims are true, as there were no screenshots or other evidence provided to back them up.

UnitedHealth told the outlet that it was aware of the statement. Cybersecurity experts said that the statement may have been short-lived as ransom discussions were underway or the hackers simply did not want that level of attention, according to the article.

UPDATED: Feb. 26 at 1:01 p.m.

The cybersecurity incident at Change Healthcare will stretch on for at least another day, according to the latest update from Optum.

The company posted early Monday morning that it is taking multiple angles to get Change's systems back online, and stressed that it has a "high level of confidence" that other systems within Optum, UnitedHealthcare and UnitedHealth Group are unaffected.

"We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online," Optum said in the post. "We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect."

"The disruption is expected to last at least through the day," the company said.

The ongoing issue has had a significant impact on pharmacies across the country. In a statement to CNBC, CVS Health said that while it is continuing to fill prescriptions for customers, it's not able to process all of its insurance claims.

The pharmacy giant added that there is "no indication" that it's own systems have been breached.

“We’re committed to ensuring access to care as we navigate through this interruption,” CVS told the outlet.

Patients have reported issues at other pharmacy chains or independent locations on social media, according to The Hill, and other services like GoodRx have faced disruption.

UPDATED: Feb. 23 at 12:37 p.m.

UnitedHealth Group, Optum's parent company, disclosed in a Securities and Exchange Commission filing that a "suspected nation-state associated cybersecurity threat actor" is behind a recent cyberattack on Change Healthcare.

The healthcare giant said they identified the actor on Wednesday, Feb. 21 and moved quickly to isolate the effected systems.

"On February 21, 2024, UnitedHealth Group identified a suspected nation-state associated cybersecurity threat actor had gained access to some of the Change Healthcare information technology systems," the company wrote. "Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident."

UHG said it is working to restore the impacted systems but does not have a definite timeline for the length of any disruption. UnitedHealth added that it "has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies."

The company said it is unclear at present how the cyberattack could impact its earnings. Dean Unger, vice president and senior credit officer at Moody's Investors Service, said in a statement that the situation would likely be credit negative.

UPDATED: Feb. 23 at 10:50 a.m.

The American Hospital Association is recommending that its members consider disconnecting from Optum's services until a cybersecurity incident at its Change Healthcare arm is resolved.

The AHA posted on its website that the cyberattack could have significant impacts on providers, and so disconnecting from Optum is "in the interest of protecting our partners and patients" if a facility is at risk of being effected.

"Due to the sector wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health care technologies and clinical authorizations provided by Optum across the health care sector," AHA said.

The AHA is also suggesting that its members develop contingency plans should Change Healthcare's systems remain down for a significant amount of time.

As of Friday morning, Optum reported that it believed the disruption from the attack will continue through the day.

Change Healthcare is mitigating a "cybersecurity issue" that began Wednesday, and details remain scant.

The company, now a subsidiary of UnitedHealth Group's Optum, disclosed Wednesday afternoon that it was experiencing connectivity issues that were later updated to be "enterprise-wide." Late Wednesday, the company confirmed that the issues were caused by a cybersecurity concern.

Optum last updated the situation late this morning, saying the incident appears to be isolated to Change Healthcare's platforms and that it had not spread to other segments of UHG.

"Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter," the company said. "Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact."

Change Healthcare provides the technology for revenue cycle and payment management to multiple sectors within the healthcare industry. It joined the fold at UnitedHealth Group in the fall of 2022 after clearing a legal challenge to the $8 billion deal.

Change processes 15 billion healthcare transactions each year, and its "clinical connectivity solutions" touch a third of U.S. patients, according to the company's website.