More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a $22 million ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data.
In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would “cover a substantial proportion of people in America.”
Change Healthcare's statement didn't state the size of the ransom payment. In a hearing held by the US Senate's Finance Committee on May 1, however, Andrew Witty, CEO of Change Healthcare parent company UnitedHealth Group, confirmed that the payment was $22 million.
Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.
Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack—and the profit AlphV extracted from it—will lead ransomware gangs to further target health care companies. “It 100 percent encourages other actors to target health care organizations,” Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. “And it’s one of the industries we don’t want ransomware actors to target—especially when it affects hospitals.”
Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.
As of Monday, strangely, the listing for that data on RansomHub's dark-web site had been taken down. Change Healthcare's post to its website, however, warns that 22 screenshots of its data had been posted to the dark web by an unnamed hacker group, and that they included “protected health information (PHI) or personally identifiable information (PII),” though it said it hadn't seen any sign that medical records like doctor's charts or full medical histories for any patients were among the stolen data.
For Change Healthcare and the beleaguered medical practices, hospitals, and patients that depend on it, the confirmation of its extortion payment to the hackers adds a bitter coda to an already dystopian story. AlphV's digital paralysis of Change Healthcare snarled the insurance approval of prescriptions and medical procedures for hundreds of medical practices and hospitals across the country, making it by some measures the most widespread medical ransomware disruption ever. A survey of American Medical Association members conducted between March 26 and April 3 found that four out of five clinicians had lost revenue as a result of the crisis. Many said they were using their own personal finances to cover a practice’s expenses. Change Healthcare, meanwhile, says it has lost $872 million to the incident and projects that number to rise well over a billion in the longer term.
Change Healthcare's confirmation of its ransom payment now appears to show that much of that catastrophic fallout for the US health care system unfolded after it had already paid the hackers an exorbitant sum—a payment in exchange for a decryption key for the systems the hackers had encrypted and a promise not to leak the company's stolen data. As is often the case in ransomware attacks, AlphV's disruption of its systems appears to have been so widespread that Change Healthcare's recovery process has extended long after it obtained the decryption key designed to unlock its systems.
As ransomware payments go, $22 million isn't the most that a victim has forked over. But it's close, says Brett Callow, a ransomware-focused security researcher who spoke to WIRED about the suspected payment in March. Only a few rare payments, such as the $40 million paid to hackers by CNA Financial in 2021, top that number. “It’s not without precedent, but it’s certainly very unusual,” Callow said of the $22 million figure.
That $22 million injection of funds into the ransomware ecosystem further fuels a vicious cycle that has reached epidemic proportions. Cryptocurrency tracing firm Chainalysis found that in 2023, ransomware victims paid the hackers targeting them fully $1.1 billion, a new record. Change Healthcare's payment may represent only a small drop in that bucket, but it both rewards AlphV for its highly damaging attacks and may suggest to other ransomware groups that health care companies are particularly profitable targets, given those companies are especially sensitive to both the high cost of those cyberattacks financially and the risks they pose to patients' health.
Compounding Change Healthcare's mess is an apparent double-cross within the ransomware underground: AlphV, by all appearances, faked its own law enforcement takedown after receiving Change Healthcare's payment in an attempt to avoid sharing it with its so-called affiliates, the hackers who partner with the group to penetrate victims on its behalf. The second ransomware group threatening Change Healthcare, RansomHub, now claims to WIRED that they obtained the stolen data from those affiliates, who still want to be paid for their work.
That has created a situation where Change Healthcare's payment provides little assurance that its compromised data won't still be exploited by disgruntled hackers. “These affiliates work for multiple groups. They’re concerned with getting paid themselves, and there’s no trust among thieves,” Analyst1's DiMaggio told WIRED in March. “If someone screws someone else, you don’t know what they’re going to do with the data.”
All of that means Change Healthcare still has little assurance that it has avoided an even worse scenario than it has yet faced: paying what may be one of the biggest ransoms in history and still seeing its data spilled onto the dark web. “If it gets leaked after they paid $22 million, it’s pretty much like setting that money on fire,” DiMaggio warned in March. “They’d have burned that money for nothing.”
Updated 10:25 am ET, May 1, 2024: UnitedHealth Group CEO Andrew Witty confirmed to a US Senate committee that the company paid $22 million in ransom.
