UnitedHealth Investigating Change Healthcare Data Leak Claims

Following reports that a data extortion group has posted stolen Change Healthcare data online, UnitedHealth Group says in a statement that ‘our investigation remains active and ongoing.’

UnitedHealth Group said in a statement Tuesday that it’s investigating claims that a cybercrime group has leaked data online that was stolen in the Change Healthcare attack as part of an extortion attempt.

The claims are the latest development in the ongoing fallout from the widely felt Change Healthcare ransomware attack, which was first disclosed nearly two months ago.

[Related: Federal Scrutiny Growing Over Change Healthcare Breach]

A report Monday from BleepingComputer indicated that the RansomHub cybercriminal gang has started to post data allegedly stolen from Change Healthcare on the group’s extortion site. The screenshots of files posted by the group suggest that both patient and corporate data were impacted, according to the report.

“We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” UnitedHealth said in a statement Tuesday. “Our investigation remains active and ongoing.”

UnitedHealth added that there’s “no evidence of any new cyber incident at Change Healthcare.”

The attack against prescription processor Change Healthcare, which is a unit of UnitedHealth’s Optum subsidiary, was first disclosed Feb. 22. The attack prevented many U.S.-based pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments for several weeks.

A different cybercrime group, known as AlphV and Blackcat, had claimed responsibility for the attack and said on its darkweb site that it exfiltrated 6 TB of data from Change Healthcare.

The claim of stolen data had previously prompted the Department of Health and Human Services to launch an investigation into the incident in connection with HIPAA (the Health Insurance Portability and Accountability Act of 1996) rules.

The probe has been focusing on “whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA rules,” according to a letter posted last month.

The alleged data extortion attempt may be the second time UnitedHealth has been asked to pay a ransom demand in connection with the Change Healthcare attack.

Security researchers previously shared evidence suggesting UnitedHealth paid cybercriminals a $22 million ransom to regain access to its systems. The insurance giant has declined to comment on the reports.

Business Impact

Meanwhile, UnitedHealth Group reported Tuesday that the impacts of the Change Healthcare attack cost the company $872 million during the first quarter of the year. The figure includes both direct response costs and the impacts from business disruption, the company said.

In addition, UnitedHealth noted that cash flows “were affected by approximately $3 billion due to the company’s cyberattack response actions, including funding acceleration to care providers, and were additionally impacted due to the timing of public sector cash receipts.”

UnitedHealth said in March that it has advanced roughly $3 billion to care providers with finances disrupted by the attack.