Hackers claim to have UnitedHealth’s stolen data – is it a bluff?

By Raphael Satter

WASHINGTON (Reuters) – A freshly formed hacking gang claims to have won access to a massive stash of data stolen from UnitedHealth Group, the largest U.S. health insurer, but with little evidence to go on it is not clear whether they are telling the truth.

Hackers walloped UnitedHealth in February, paralyzing billions of dollars worth of health insurance payments across the country. The ransomware gang “Blackcat” initially said on its website that it had stolen 8 terabytes of sensitive records – including medical insurance and health data – only to swiftly delete the statement without explanation.

The new group, “Ransomhub,” told Reuters that a disgruntled affiliate of Blackcat gave the data to them after a botched ransomware payment allowed Blackcat’s hackers to vanish with $22 million in bitcoin.

Ransomhub refused to provide any backing for their claim or identify the affiliate.

“We will not disclose any information,” the hackers said in a chat.

UnitedHealth said it was aware of the claim and was continuing to work with authorities. The FBI did not immediately return a message.

UnitedHealth has stayed mum on whether it paid the cybercriminals, but a hacker forum posting – backed by forensic blockchain evidence – claimed that Blackcat had cheated an affiliated hacker or hacker group out of a $22 million ransom paid by UnitedHealth to help contain the breach.

Blackcat then pulled a disappearing act, falsely claiming to have been nabbed by law enforcement.

Ransomhub told Reuters the Blackcat affiliate has since handed the data to them for resale. It declined to answer further questions, saying the group was busy.

Hackers claim to have UnitedHealth's stolen data - is it a bluff?
FILE PHOTO: The corporate logo of the UnitedHealth Group appears on the side of one of their office buildings in Santa Ana, California, U.S., April 13, 2020. REUTERS/Mike Blake/File Photo

With so much intrigue already surrounding the hack, experts urged caution about the claim.

Analyst Brett Callow of cybersecurity company Emsisoft said he suspected Ransomhub’s claim was true, but he cautioned that he was making “a very low confidence guess” and that the group could be trying out a scam.

Darren Williams, the chief executive of cybersecurity company BlackFog, said he had seen a couple of gangs recently try to boost their credibility by lying about what they had. He said the latest claim was “highly likely” a bluff.