For Change Healthcare and the beleaguered medical practices, hospitals, and patients that depend on it, the confirmation of its extortion payment to the hackers adds a bitter coda to an already dystopian story. AlphV’s digital paralysis of Change Healthcare, a subsidiary of UnitedHealth Group, snarled the insurance approval of prescriptions and medical procedures for hundreds of medical practices and hospitals across the country, making it by some measures the most widespread medical ransomware disruption ever. A survey of American Medical Association members, conducted between March 26 and April 3, found that four out of five clinicians had lost revenue as a result of the crisis. Many said they were using their own personal finances to cover a practice’s expenses. Change Healthcare, meanwhile, says that it has lost $872 million to the incident and projects that number to rise well over a billion in the longer term.
Change Healthcare’s confirmation of its ransom payment now appears to show that much of that catastrophic fallout for the US healthcare system unfolded after it had already paid the hackers an exorbitant sum—a payment in exchange for a decryption key for the systems the hackers had encrypted and a promise not to leak the company’s stolen data. As is often the case in ransomware attacks, AlphV’s disruption of its systems appears to have been so widespread that Change Healthcare’s recovery process has extended long after it obtained the decryption key designed to unlock its systems.
As ransomware payments go, $22 million wouldn’t be the most that a victim has forked over. But it’s close, says Brett Callow, a ransomware-focused security researcher who spoke to WIRED about the suspected payment in March. Only a few rare payments, such as the $40 million paid to hackers by CNA Financial in 2021, top that number. “It’s not without precedent, but it’s certainly very unusual,” Callow said of the $22 million figure.
That $22 million injection of funds into the ransomware ecosystem further fuels a vicious cycle that has reached epidemic proportions. Cryptocurrency tracing firm Chainalysis found that in 2023, ransomware victims paid the hackers targeting them fully $1.1 billion, a new record. Change Healthcare’s payment may represent only a small drop in that bucket. But it both rewards AlphV for its highly damaging attacks and may suggest to other ransomware groups that healthcare companies are particularly profitable targets, given those companies are especially sensitive to both the high cost of those cyberattacks financially and the risks they pose to patients’ health.
Compounding Change Healthcare’s mess is an apparent double-cross within the ransomware underground: AlphV by all appearances faked its own law enforcement takedown after receiving Change Healthcare’s payment in an attempt to avoid sharing it with its so-called affiliates, the hackers who partner with the group to penetrate victims on its behalf. The second ransomware group threatening ChangeHealthcare, RansomHub, now claims to WIRED that they obtained the stolen data from those affiliates, who still want to be paid for their work.
That’s created a situation where Change Healthcare’s payment provides little assurance that its compromised data won’t still be exploited by disgruntled hackers. “These affiliates work for multiple groups. They’re concerned with getting paid themselves, and there’s no trust among thieves,” Analyst1’s DiMaggio told WIRED in March. “If someone screws someone else, you don’t know what they’re going to do with the data.”
All of that means Change Healthcare still has little assurance that it’s avoided an even worse scenario than it’s yet faced: paying what may be one of the biggest ransoms in history and still seeing its data spilled onto the dark web. “If it gets leaked after they paid $22 million, it’s pretty much like setting that money on fire,” DiMaggio warned in March. “They’d have burned that money for nothing.”