For Change Healthcare and the beleaguered doctors’ offices, hospitals and patients who depend on it, the confirmation of its extortion payment to the hackers is a bitter end to an already dystopian story. AlphV’s digital paralysis of Change Healthcare, a subsidiary of UnitedHealth Group, has affected the insurance approval of prescriptions and medical procedures for hundreds of doctor’s offices and hospitals across the country, making it in some ways the most widespread medical ransomware disruption ever . A survey of American Medical Association members conducted between March 26 and April 3 found that four out of five physicians had lost income as a result of the crisis. Many said they would use their own finances to cover the costs of a practice. Change Healthcare, meanwhile, says it lost $872 million as a result of the incident and expects that figure to rise to well over $1 billion in the longer term.
Change Healthcare’s confirmation of the ransom payment now appears to show that much of this catastrophic impact has occurred on the US healthcare system after It had already paid the hackers an exorbitant sum – a payment in exchange for a decryption key for the systems the hackers had encrypted and a promise not to reveal the company’s stolen data. As is often the case with ransomware attacks, the disruption to AlphV’s systems appears to have been so widespread that Change Healthcare’s recovery process was prolonged long after it received the decryption key to unlock its systems.
As far as ransomware payments are concerned, $22 million would not be the maximum amount a victim spent. But it’s close, says Brett Callow, a security researcher specializing in ransomware, who spoke to WIRED about the alleged payment in March. Only a few rare payments, like the $40 million CNA Financial paid to hackers in 2021, exceed this figure. “It’s not without precedent, but it’s certainly very unusual,” Callow said of the $22 million figure.
This $22 million cash injection into the ransomware ecosystem is fueling a vicious cycle that has reached epidemic proportions. Cryptocurrency tracking firm Chainalysis has found that ransomware victims paid a whopping $1.1 billion to the hackers who targeted them in 2023, a new record. Change Healthcare’s payment may be a small drop in the bucket, but it rewards AlphV for its highly damaging attacks and could give other ransomware groups the impression that healthcare companies are particularly profitable targets because these companies are particularly sensitive to the high costs respond to the financial impact of these cyber attacks and the associated risks to patient health.
Change Healthcare’s mess is compounded by an apparent double game within the ransomware underground: Apparently, after receiving payment from Change Healthcare, AlphV faked its own shutdown by law enforcement to prevent the company from sharing it with its so-called affiliate partners, the hackers who are partners with the group to penetrate victims on their behalf. The second ransomware group threatening Change Healthcare, RansomHub, now claims to WIRED that it received the stolen data from those partners who still want to be paid for their work.
This has created a situation where paying Change Healthcare provides little assurance that the compromised data will not continue to be exploited by disgruntled hackers. “These partners work for multiple groups. They’re worried about getting paid themselves, and there’s no trust among thieves,” Analyst1’s DiMaggio told WIRED in March. “If someone screws over someone else, you don’t know what they’re going to do with the data.”
All of this means that Change Healthcare can still hardly be sure that it has avoided an even worse scenario than before: paying what could be the largest ransom in history and continuing to spread its data on the dark web. “If it leaks after they’ve paid $22 million, it’s like setting the money on fire,” DiMaggio warned in March. “They would have burned the money for nothing.”