What Happened
On February 21, 2024, the ALPHV/BlackCat ransomware group attacked Change Healthcare, a subsidiary of UnitedHealth Group that processes approximately 15 billion healthcare transactions annually, roughly one-third of all US healthcare claims. The attack disrupted claims processing, pharmacy operations, and payment systems across the entire US healthcare ecosystem for weeks to months, and ultimately exposed protected health information of approximately 100 million individuals.
UnitedHealth Group CEO Andrew Witty confirmed the company paid a $22 million ransom to ALPHV/BlackCat. The total financial impact exceeded $3.1 billion in direct costs through Q3 2024.
How They Got In
Attackers gained initial access using stolen credentials on a Change Healthcare Citrix remote access portal that did not have multi-factor authentication enabled. Once inside, the attackers moved laterally through the network for approximately nine days before deploying ransomware on February 21.
UnitedHealth Group CEO Witty testified before Congress that the Citrix portal lacked MFA, a basic security control that would likely have prevented the initial compromise.
Healthcare System Disruption
Claims processing halted for weeks across thousands of hospitals, clinics, and pharmacies nationwide. Pharmacies could not process insurance claims, forcing patients to pay out-of-pocket or go without medications. Providers could not submit claims or receive payments, creating cash flow crises for smaller practices. Some providers reported being unable to process claims for over 100 days. Military pharmacies serving TRICARE were also affected.
Exposed Data
The breach exposed health insurance information including member IDs, plan details, and Medicaid/Medicare IDs. Medical records with diagnoses, medications, test results, and treatment records were compromised. Billing and claims data including claim numbers, account numbers, and billing codes were accessed. Personal information such as names, addresses, dates of birth, phone numbers, and email addresses was stolen, along with banking information for claims payments and Social Security numbers for a subset of affected individuals.
Timeline
Attackers gained initial access via stolen Citrix credentials on February 12, 2024. Ransomware was deployed on February 21, and Change Healthcare took systems offline. UnitedHealth confirmed ALPHV/BlackCat’s responsibility on February 29. ALPHV claimed to have received the $22 million ransom payment on March 1. On March 5, ALPHV conducted an apparent exit scam, and the affiliate threatened to leak data. HHS launched an investigation in March 2024, and CMS issued accelerated payment programs for affected providers. UnitedHealth confirmed data theft affecting “a substantial proportion of people in America” on April 22. The CEO testified before the Senate Finance Committee on May 1. Claims processing services were largely restored by June 2024. UnitedHealth confirmed approximately 100 million individuals were affected in October 2024. Total direct costs exceeded $3.1 billion by Q3 2024.
Regulatory and Industry Impact
HHS proposed new HIPAA Security Rule updates in December 2024, citing Change Healthcare as a catalyst. Proposed requirements include mandatory MFA, network segmentation, encryption, and 72-hour restoration capabilities. Congressional hearings examined UnitedHealth’s security practices and the concentration risk of a single company processing one-third of US healthcare claims. The incident demonstrated that ransomware attacks on healthcare infrastructure are effectively attacks on public health. ALPHV/BlackCat conducted an apparent exit scam after receiving the ransom, and the affiliate who conducted the attack threatened to release the data independently.
Key Lessons
MFA on all remote access is non-negotiable, as this breach was preventable with a basic security control. Concentration risk in healthcare infrastructure creates systemic vulnerability, since one company’s compromise affected the entire US healthcare system. Ransomware payments do not guarantee data protection, as ALPHV took the money and the affiliate still threatened to leak. Business continuity planning must account for extended outages of critical third-party services.