Hackers in Change Healthcare attack reportedly receive $22 million in ransom

The hackers behind one of the most devastating healthcare cyberattacks in U.S. history recently received a $22 million payment, and experts say this suggests the gang’s victims may just have received a huge ransom have paid.

Healthcare providers and pharmacies across the country were unable to process prescriptions, leaving patients unable to receive needed medications after Change Healthcare’s payment exchange platform collapsed in the Feb. 21 cyberattack.

In a since-deleted post on the dark web on Wednesday, the notorious AlphV/BlackCat ransomware group said it was behind the attack, and Change, operated by UnitedHealth Group subsidiary Optum, confirmed it the following day.

Then on Friday, a Bitcoin address from AlphV hackers received a single transaction payment of 350 Bitcoins, worth nearly $22 million, according to WIRED and blockchain analysis group TRM Labs. TRM Labs also confirmed that the same address can be linked to payments from two other AlphV victims in January.

Two days later, an AlphV affiliate posted on the underground cybercrime platform RAMP that the ransomware group had cheated them out of their share of the ransom they paid to “prevent data leaks and decryption keys,” according to a screenshot by Dmitry Smilyanets, a researcher for security firm Recorded Future.

Groups like AlphV often use partners to do the actual hacking with their ransomware and then give the partners a portion of the payouts. But the subsidiary said AlphV “continued to lie and delay their payment” until the group finally “emptied the wallet and took all the money.”

“Unfortunately, the data from the target company Change Healthcare – OPTUM – is still with us,” the partner’s post says, according to a screenshot.

A spokesman for United Healthcare declined to answer questions from multiple publications about whether the company paid a ransom to AlphV, saying only that it was “currently focused on the investigation.” However, if the company did pay the ransom, the partner’s alleged post suggests that “4TB of the critical data” that Change feared would be leaked is still under the hackers’ control and may require additional payments , if Change wants to prevent possible leakage.

Additionally, a ransomware researcher told WIRED that the potential ransom payment sets a dangerous precedent for the healthcare industry, which has increasingly been hit by cyberattacks, by either funding future attacks or suggesting to other hackers that the same plan of action could work for them.

MORE INFORMATION: Cybersecurity incident affecting the country’s pharmacies

AlphV/BlackCat is the second most common ransomware-as-a-service variant in the world, measured by the hundreds of millions of dollars in ransoms paid by its victims, the Justice Department said in December. At the time, an FBI operation was believed to have crippled the gang by seizing several of its websites and tools. But two months later she launched this attack on Change.

As a link between healthcare and insurance providers, Change processes 15 billion medical transactions each year, representing more than $1.5 trillion in healthcare claims, its website says. The Justice Department also says the company manages half of all health insurance claims in the country.

When AlphV/BlackCat claimed responsibility for the attack, it said it had accessed 6TB of data used in these claims, including payment and insurance information as well as medical records. However, the subsidiary said it has 4TB of data from Change and its partners such as Medicare, CVS-CareMark, MetLife, Health Net and more.

Beyond patient safety, the attack means many continue to rely on Change’s financial services to fill prescriptions, process claims, bill patients, verify insurance coverage, pay employees, refill hospital medications, replenish inventory, and more more.

While it’s still unclear when the change systems will come back online, Senate Majority Leader Chuck Schumer (D-NY) on Monday called on the Centers for Medicare & Medicaid Services to help healthcare providers who are unable to , making payments or not processing claims to ensure that patient care can continue to be “first class”.

“We cannot allow hackers to threaten the financial stability of healthcare providers and even the critical care of patients across America. CMS must act now to help our hospitals,” Schumer said.