For Change Healthcare and the beleaguered doctors’ offices, hospitals and patients that depend on it, confirmation of its extortion payment to hackers adds a bitter coda to an already dystopian story. The digital paralysis of Change Healthcare, a subsidiary of UnitedHealth Group, by AlphV affected the insurance approval of prescriptions and medical procedures for hundreds of doctor offices and hospitals across the country, making it, by some measures, the most widespread medical ransomware disruption ever. A survey of members of the American Medical Association, conducted between March 26 and April 3, found that four in five doctors had lost income as a result of the crisis. Many said they were using their own personal finances to cover their practice expenses. Meanwhile, Change Healthcare says it has lost $872 million from the incident and projects that figure will rise to more than $1 billion in the long term.
Change Healthcare’s confirmation of its ransom payment now appears to show that much of those catastrophic consequences for the US healthcare system played out. after He had already paid the hackers an exorbitant sum: a payment in exchange for a decryption key for the systems the hackers had encrypted and a promise not to leak the company’s stolen data. As is often the case in ransomware attacks, AlphV’s disruption of its systems appears to have been so widespread that Change Healthcare’s recovery process has dragged on long after obtaining the decryption key designed to unlock its systems.
As far as ransomware payouts go, $22 million wouldn’t be the most a victim has shelled out. But it’s close, says Brett Callow, a security researcher focused on ransomware who spoke to WIRED about the suspicious payment in March. Only a few exceptional payments, such as the $40 million paid to hackers by CNA Financial in 2021, exceed that figure. “It’s not unprecedented, but it’s certainly very unusual,” Callow said of the $22 million figure.
That $22 million funding injection into the ransomware ecosystem further fuels a vicious cycle that has reached epidemic proportions. Cryptocurrency tracking company Chainalysis found that in 2023, ransomware victims paid hackers attacking them $1.1 billion, a new record. The Change Healthcare payment may represent just a small drop in that bucket. But it rewards AlphV for its highly damaging attacks and may suggest to other ransomware groups that healthcare companies are particularly profitable targets, given that those companies are especially sensitive to both the high financial cost of such cyberattacks and the risks they pose to the health of patients.
Compounding Change Healthcare’s mess is an apparent betrayal within the ransomware world: by all appearances, AlphV faked its own police takedown after receiving payment from Change Healthcare in an attempt to avoid sharing it with its alleged affiliates, the hackers. who partner with the group to penetrate victims on their behalf. The second ransomware group threatening ChangeHealthcare, RansomHub, now claims to WIRED that they obtained the stolen data from those affiliates, who still want to get paid for their work.
This has created a situation where the Change Healthcare payment offers little guarantee that your compromised data will not continue to be exploited by disgruntled hackers. “These affiliates work for multiple groups. They’re worried about getting paid themselves and there’s no trust among thieves,” Analyst1’s DiMaggio told WIRED in March. “If someone screws someone else, you don’t know what they’re going to do with the data.”
All of that means that Change Healthcare still has little guarantee that it has avoided an even worse scenario than the one it has faced so far: paying what may be one of the largest ransoms in history and still seeing its data spilled onto the dark web. “If it leaks after they paid $22 million, it’s like setting that money on fire,” DiMaggio warned in March. “They would have burned that money for nothing.”