MINNEAPOLIS — An ongoing cybersecurity saga involving Change Healthcare, a subsidiary of Minnesota-based United Health Group, appears to offer a cautionary tale for large companies dealing with ransomware attacks.
"There truly is no honor among these thieves it seems," said Andy Greenberg a senior writer for Wired, who has been covering the Change Healthcare cyberattack since it was first discovered in late February. "When you pay these ransomware groups, you can't necessarily trust that they are going to follow through on their promises."
Neither Change Healthcare, nor United Health Group has confirmed, or denied, that it paid a ransom in response to the attack, which has led to widespread issues with billing, payments and care claims across the country in recent weeks; but Greenberg says ALPHV/Blackcat, the hacking group blamed in the cyberattack, received a $22 million payment.
"I can see that payment in Bitcoin's blockchain," Greenberg said.
But shortly after reporting on that payment, which would be the second largest in U.S. history, Greenberg heard from a second hacking group that claimed to still have sensitive patient data.
"I was told that first group of hackers, known as AlphV, simply ran off with the money they were paid rather than sharing it with their partners who are still in possession of that stolen data," he said. "So this is truly kind of worse than worst-case scenario. It's something that I've never seen before in the ransom ware ecosystem."
He says that group is now threatening to release that stolen data, or sell it to the highest bidder, unless it receives also receives a ransom.
Kent Erdahl: "As of right now, do we know that any patient information has been shared?"
Andy Greenberg: "Well, some patient information has actually been shared with me. When I asked RansomHub — this second group of hackers who are extorting Change Healthcare — to prove that this wasn't just an empty threat, they did send me a few samples of patient records, a contract that Change Healthcare had with another company. We don't know that they have the full, four terabytes of data that they claim to have and are threatening to leak, but if they did that would be, obviously, a terrible outcome for patients who would have just very sensitive information about themselves spilled onto the dark web."
Erdahl: "I think the obvious question is, why would it be advisable for a company to pay a second ransom when the first one didn't even really do what was promised?"
Greenberg: "Well, it's almost comical. RansomHub did even say to me — in response to this question — 'Well, we are not like that other cyber criminal group. We can be trusted. We don't even want to hold this data, as soon as we are paid, we'll delete it.' But yes, can you actually believe that when the first group of ransomware hackers actually said exactly the same thing?"
Sensitive patient data isn't the only thing hanging in the balance right now, there are still large numbers of physicians and hospital systems nationwide stuck in the lurch as Change Healthcare sorts out the disruptions to its billing, payment and care portals.
In a nationwide survey released by the American Medical Association, 80% of physicians who responded said they have lost revenue from unpaid claims and nearly one-third were unable to make payroll.
Locally, the Minnesota Hospital Association says this is impacting some of the largest systems in the Twin Cities in addition to some of the smallest rural hospitals.
"Some of our members are just dead in the water," said Joe Schindler, vice president of finance for the Minnesota Hospital Association. "They're just waiting to try and get bills sent out the door on behalf of their patients to be able to get paid and to keep revenue flowing."
Schindler says some providers have gotten some help with payments and cash flow issues, but he says it could be Halloween before some patient bills will be sorted out and sent in the mail. If you're a patient waiting for prior authorization before getting a procedure or a costly test, he says Change Healthcare has yet to provide much help or clarity.
Watch more Breaking The News:
Watch all of the latest stories from Breaking The News in our YouTube playlist:
WATCH MORE ON KARE 11+
Download the free KARE 11+ app for Roku, Fire TV, Apple TV and other smart TV platforms to watch more from KARE 11 anytime! The KARE 11+ app includes live streams of all of KARE 11's newscasts. You'll also find on-demand replays of newscasts; the latest from KARE 11 Investigates, Breaking the News and the Land of 10,000 Stories; exclusive programs like Verify and HeartThreads; and Minnesota sports talk from our partners at Locked On Minnesota.
- Add KARE 11+ on Roku here or by searching for KARE 11 in the Roku Channel Store.
- Add KARE 11+ on Fire TV here or by searching for KARE 11 in the Amazon App Store.
- Learn more about the KARE 11+ app for Apple TV in the Apple App Store.
- Learn more about KARE 11+ here.