Safeguard.sh
Incident Analysis

Change Healthcare Ransomware 2024: Deep Dive

The Change Healthcare ransomware attack knocked US healthcare payments offline for weeks. A missing MFA on a Citrix portal was the root cause United confirmed.

Shadab Khan
Security Engineer
7 min read

The Change Healthcare ransomware attack of February 2024 is the largest healthcare payments outage in US history and one of the clearest examples of what happens when a critical infrastructure operator is also a concentrated single point of failure. UnitedHealth Group, the parent of Change Healthcare, confirmed under congressional testimony that the initial access was a Citrix remote access portal that had no multi-factor authentication enforced. This post walks through what United and federal regulators confirmed, the cascading impact on providers, and what defenders who run any legacy remote access should be doing now.

What Happened at Change Healthcare?

Change Healthcare, the clearinghouse that processes roughly one-third of US medical claims and a large share of ePrescription traffic, was hit with ransomware on February 21, 2024 by the ALPHV/BlackCat group. The attack forced the company to take its systems offline, which immediately disrupted pharmacy claims, provider payments, eligibility checks, and prior authorization flows across the United States. Some small independent pharmacies went days without any claim processing. Many providers went weeks without insurance payments.

UnitedHealth Group CEO Andrew Witty later testified before the Senate Finance Committee on May 1, 2024, confirming that the attackers entered via a Citrix remote access portal that did not require multi-factor authentication, that they then spent roughly nine days moving laterally before executing the ransomware payload, and that the company paid a ransom. Reporting by Reuters, WIRED, and others documented a 350 Bitcoin (approximately USD 22 million) payment to ALPHV, followed by an apparent exit scam in which an affiliate known as "notchy" claimed to still possess the data and transferred it to a successor operation, RansomHub.

What Is the Confirmed Timeline?

The timeline stitched together from United's testimony, HHS advisories, and court filings is as follows:

  • February 12, 2024: ALPHV/BlackCat affiliates use compromised credentials to log in to a Change Healthcare Citrix portal that lacks MFA.
  • February 12 - 21, 2024: Attackers dwell and move laterally. They exfiltrate data covering an estimated 100 million individuals (the largest HIPAA breach ever reported).
  • February 21, 2024: Ransomware is executed. Change Healthcare isolates systems. The US Health sector begins to feel the outage almost immediately.
  • February 22 - March 7, 2024: CISA, HHS, and the AHA publish advisories. Pharmacies switch to cash-pay or manual workflows.
  • March 1, 2024: Public wallet tracking by researchers identifies a 350 BTC payment to an ALPHV-linked address.
  • March 5, 2024: ALPHV infrastructure goes dark in what appears to be an exit scam. Affiliate "notchy" claims to still hold the data.
  • April 2024: RansomHub lists Change Healthcare data for sale, apparently from the same set "notchy" retained.
  • May 1, 2024: Andrew Witty testifies. Confirms MFA absence on the Citrix portal, confirms ransom payment, confirms 100 million individuals affected.
  • October 24, 2024: HHS Office for Civil Rights publishes its formal breach total (100 million).

What Was the Root Cause, Publicly Reported?

The root cause chain, in United's own words, was straightforward:

  • Compromised credentials belonging to a Citrix user were obtained by the attacker. United has not publicly said how those credentials were obtained, but infostealer marketplaces and credential reuse are the common infostealing vectors affiliates use.
  • The specific Citrix portal in question did not enforce multi-factor authentication. Witty's testimony described MFA as missing on that server specifically, not across the organization.
  • Once inside, the attackers had sufficient network reach to move laterally without triggering the controls that would have been expected at a healthcare clearinghouse of this size.
  • The environment inherited from the February 2022 Change Healthcare acquisition by UnitedHealth had not been fully integrated into UnitedHealth's security program at the time of the attack, a fact Witty acknowledged publicly.

There was no novel zero-day, no sophisticated supply chain compromise of a build pipeline, and no kernel exploit. A publicly accessible remote access appliance with a password-only login was the front door.

What Are the Supply Chain Implications?

Change Healthcare is a software supply chain incident even though no code was tampered with, because the company is software infrastructure for the US healthcare industry. The outage illustrated three supply chain lessons:

  • Concentration risk is a security property. When one vendor handles one in three US medical claims, the ransomware blast radius is national. Every hospital CIO assumed the clearinghouse layer was diverse and redundant. It was not.
  • Acquired environments inherit risk for years. The 2022 UnitedHealth acquisition of Change Healthcare was only partly integrated at the time of the attack. This is true at most large organizations post-M&A, and it is where attackers look first.
  • Downstream customers bear the operational blast radius. Thousands of pharmacies and provider practices had to implement emergency manual workflows because a vendor they never chose directly (their insurer chose a clearinghouse upstream) went down.

For software vendors, the takeaway is that your customers' customers are your blast radius. If your platform is the clearing layer, you owe the industry a far higher standard of hygiene than a typical SaaS company.

What Should Defenders Do Now?

Defenders should treat Change Healthcare as a forcing function to rip out password-only remote access and tighten third-party risk assessment around concentrated SaaS providers.

  • Inventory every remote access surface. Citrix, legacy VPN concentrators, Jumpboxes, RDP gateways, vendor-specific portals. Enforce phishing-resistant MFA on every single one without exception.
  • Assume infostealer-obtained credentials exist for your organization right now. Monitor stealer log marketplaces for your domain and force password rotations when hits appear.
  • Segment your network so that compromise of a Citrix or VPN endpoint does not grant lateral reach to domain controllers or production databases. Nine days of dwell is a long time when there is nothing between the jumpbox and the crown jewels.
  • Integrate acquired companies on a clock. If an acquisition is more than a year old and its identity, EDR, and logging are not fully merged into the parent organization, that is a board-level risk.
  • Concentration risk is real for your software dependencies too. Map where you have single-vendor exposure that would take your business offline for a week. Change Healthcare customers did not realize they had that exposure until February 22, 2024.
  • For healthcare specifically, align with HHS-recommended HICP practices and the voluntary cybersecurity performance goals. The regulatory climate is tightening, and HHS has signaled that further prescriptive rules are coming.

What Are the Broader Lessons for the Industry?

Three lessons. First, MFA everywhere is still not done. In 2024, a critical US healthcare clearinghouse was compromised because one Citrix server did not require a second factor. Any security program that has not literally verified every remote access path has a hole. Second, ransomware payment did not work. United paid, the affiliate kept the data, and the data ended up extorted twice under a successor brand. The industry should stop assuming payment ends incidents. Third, customers and regulators will increasingly price concentrated SaaS risk into procurement. Expect more contractual MFA requirements, resilience testing, and ability-to-operate clauses in healthcare and financial services contracts. Safeguard practitioners should be drafting those clauses now.

How Safeguard.sh Helps

Safeguard.sh reduces the chance that a password-only remote access portal slips through an inventory audit, and shrinks the blast radius if one does. Reachability analysis correlates your identity, network, and dependency graphs to surface the 60-80% of findings that map to actually exploitable paths, like a Citrix surface reachable from the internet with no MFA policy bound. Griffin AI autonomously enforces MFA, rotates credentials flagged in stealer logs, and quarantines vendor assets that drift out of policy without waiting for a ticket. SBOM generation and ingest documents every third-party component in your provider stack, while TPRM workflows score concentrated SaaS exposure the way Change Healthcare customers wish they had measured clearinghouse risk. With 100-level dependency depth we follow transitive trust from a vendor portal all the way to the claim-processing service, and container self-healing keeps the jump hosts and remote access infrastructure patched automatically rather than as a quarterly project.

change-healthcareransomwarealphvblackcathealthcare
Back to all articles

Related articles in Incident Analysis

Incident Analysis

Okta Cross-Tenant Impersonation 2024

Okta's cross-tenant impersonation advisory and related social-engineering campaigns exposed how identity providers get targeted. Lessons for defenders.

March 26, 2026Read
Incident Analysis

Hugging Face Token Exposure 2024 Analysis

Researchers found thousands of valid Hugging Face API tokens in public code and models. Analysis of the 2024 exposures and what they mean for ML supply chain.

March 21, 2026Read
Incident Analysis

PyPI Trusted Publishing Token Leaks in 2025

Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.

March 19, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.