On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group and one of the largest healthcare payment processing companies in the United States, suffered a ransomware attack that would become the most consequential cybersecurity incident in American healthcare history. The BlackCat/ALPHV ransomware group compromised Change Healthcare's systems, triggering a shutdown that disrupted pharmacy operations, insurance claims processing, and healthcare payments across the entire country for weeks.
The Scale of Disruption
Change Healthcare processes approximately 15 billion healthcare claims annually, handling around one-third of all U.S. patient records. Their systems facilitate electronic prescriptions, insurance verification, claims submission, and payment processing for pharmacies, hospitals, clinics, and insurance companies nationwide.
When Change Healthcare took their systems offline to contain the attack, the cascading effects were immediate. Pharmacies could not verify insurance coverage or process electronic prescriptions. Hospitals and clinics could not submit claims or receive payments. Small healthcare providers, operating on thin margins, faced cash flow crises within days.
The American Hospital Association (AHA) called it the "most significant and consequential incident of its kind against the U.S. health care system in history." Some healthcare providers reported that they were unable to process claims for weeks, and small practices and rural hospitals were pushed to the brink of closure by the revenue disruption.
How the Attackers Got In
In testimony before the Senate Finance Committee in May 2024, UnitedHealth Group CEO Andrew Witty revealed that the attackers gained initial access through compromised credentials for a Citrix remote access portal that did not have multi-factor authentication enabled.
Once again, the initial vector was depressingly simple. A critical healthcare infrastructure company processing data for 100 million Americans was compromised because a remote access portal lacked MFA. The attackers used the stolen credentials to access Change Healthcare's network, moved laterally through the environment, exfiltrated data, and deployed the BlackCat/ALPHV ransomware.
Witty estimated that approximately one-third of all Americans may have had their health data exposed in the breach. In October 2024, UnitedHealth confirmed that the breach affected over 100 million individuals, making it the largest healthcare data breach ever reported to HHS.
The Ransom Payment and Double Extortion
In March 2024, a Bitcoin transaction of approximately $22 million was observed going to a wallet associated with ALPHV/BlackCat. UnitedHealth Group later confirmed that they paid a ransom, with Witty telling Congress it was made "in the interest of the patients whose data may have been compromised."
But the story took a twist. Shortly after the ransom payment, BlackCat/ALPHV appeared to conduct an exit scam on their own affiliates. The group posted a fake law enforcement seizure notice on their dark web site and disappeared with the ransom money, allegedly without sharing the proceeds with the affiliate who actually carried out the attack.
The scorned affiliate, operating under the name "Notchy," then claimed to still possess the stolen Change Healthcare data and threatened to leak it unless they were paid separately. This led to a second extortion attempt through a different ransomware group called RansomHub, where the stolen data was listed for sale. Reports indicate UnitedHealth may have made a second payment to address this threat.
The entire debacle illustrated the fundamental unreliability of ransomware negotiation. Even when you pay, there is no guarantee of data deletion, and the fragmented, affiliate-based structure of modern RaaS operations means that multiple parties may independently hold and extort over the same stolen data.
Financial Impact
The financial toll was staggering. UnitedHealth Group reported that the Change Healthcare attack cost them approximately $872 million in the first quarter of 2024 alone, with total projected costs exceeding $1.6 billion for the year. This included direct incident response costs, business disruption, customer support programs (including interest-free loans to affected healthcare providers), and the ransom payment itself.
Beyond UnitedHealth's direct costs, the downstream economic impact on healthcare providers was immense. The AHA estimated that hospitals lost an average of $1 million per day during the outage. Small and mid-size practices were particularly hard hit, with some reporting that they went weeks without being able to collect payments.
Regulatory and Legislative Fallout
The Change Healthcare attack accelerated multiple legislative and regulatory initiatives. The HHS Office for Civil Rights opened an investigation into potential HIPAA violations. Congressional hearings examined why a company processing healthcare data for a third of Americans did not have MFA on all remote access portals.
Senator Mark Warner reintroduced the Health Care Cybersecurity Improvement Act, which would require minimum cybersecurity standards for healthcare companies and condition Medicare payments on meeting those standards. HHS proposed updates to the HIPAA Security Rule that would make specific technical controls (including MFA) mandatory rather than "addressable."
The incident also renewed debates about healthcare industry consolidation. Change Healthcare's merger with Optum (a UnitedHealth subsidiary) in 2022 had concentrated an enormous amount of healthcare processing infrastructure in a single entity. When that entity went down, there was no fallback. The systemic risk created by this concentration was exactly what critics of the merger had warned about.
Lessons for Every Industry
While this was a healthcare-specific incident, the lessons apply broadly. Critical infrastructure providers who process data for millions of people have an obligation to implement baseline security controls. MFA on remote access is not optional. Network segmentation between systems that process different types of data is not optional. Tested backup and recovery procedures that can restore operations within hours, not weeks, are not optional.
The Change Healthcare incident also demonstrated that attackers increasingly target the infrastructure layer, the payment processors, the claims clearinghouses, the middleware companies, rather than individual hospitals or clinics. Compromising one infrastructure provider can disrupt an entire industry.
How Safeguard.sh Helps
Safeguard.sh provides the continuous visibility and policy enforcement that organizations need to prevent incidents like the Change Healthcare breach. Our platform monitors your software inventory for known vulnerabilities, including unpatched remote access tools that lack proper security configurations. Policy gates can enforce requirements like MFA-enabled access points and current patch levels before software reaches production. For organizations in regulated industries, Safeguard.sh provides the compliance documentation and audit trails that demonstrate due diligence to regulators, helping you prove that you met your security obligations before an incident, not scrambling to demonstrate it afterward.