For months, Change Healthcare has confronted an immensely messy ransomware debacle that has left a whole bunch of pharmacies and medical practices throughout the United States unable to course of claims. Now, due to an obvious dispute inside the ransomware legal ecosystem, it might have simply develop into far messier nonetheless.

In March, the ransomware group AlphV, which had claimed credit score for encrypting Change Healthcare’s community and threatened to leak reams of the corporate’s delicate well being care knowledge, received a $22 million payment—proof, publicly captured on Bitcoin’s blockchain, that Change Healthcare had very possible caved to its tormentors’ ransom demand, although the corporate has but to substantiate that it paid. But in a brand new definition of a worst-case ransomware, a totally different ransomware group claims to be holding Change Healthcare’s stolen knowledge and is demanding a cost of their very own.

Since Monday, RansomHub, a comparatively new ransomware group, has posted to its dark-web website that it has 4 terabytes of Change Healthcare’s stolen knowledge, which it threatened to promote to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it’s not affiliated with AlphV and “can’t say” how a lot it’s demanding as a ransom cost.

RansomHub initially declined to publish or present WIRED any pattern knowledge from that stolen trove to show its declare. But on Friday, a consultant for the group despatched WIRED a number of screenshots of what gave the impression to be affected person information and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its identify.

While WIRED couldn’t absolutely affirm RansomHub’s claims, the samples counsel that this second extortion try towards Change Healthcare could also be greater than an empty menace. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an electronic mail.

Change Healthcare didn’t instantly reply to WIRED’s request for touch upon RansomHub’s extortion demand.

Brett Callow, a ransomware analyst with safety agency Emsisoft, says he believes AlphV didn’t initially publish any knowledge from the incident, and the origin of RansomHub’s knowledge is unclear. “I obviously don’t know whether the data is real—it could have been pulled from elsewhere—but nor do I see anything that indicates it may not be authentic,” he says of the information shared by RansomHub.

Jon DiMaggio, chief safety strategist at menace intelligence agency Analyst1, says he believes RansomHub is “telling the truth and does have Change HealthCare’s data,” after reviewing the data despatched to WIRED. While RansomHub is a brand new ransomware menace actor, DiMaggio says, they’re shortly “gaining momentum.”

If RansomHub’s claims are actual, it would imply that Change Healthcare’s already catastrophic ransomware ordeal has develop into a sort of cautionary story concerning the risks of trusting ransomware teams to comply with by on their guarantees, even after a ransom is paid. In March, somebody who goes by the identify “notchy” posted to a Russian cybercriminal discussion board that AlphV had pocketed that $22 million cost and disappeared with out sharing a fee with the “affiliate” hackers who usually accomplice with ransomware teams and sometimes penetrate victims’ networks on their behalf.