On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group that processes approximately 15 billion healthcare transactions annually, was hit by a ransomware attack that would become the most consequential healthcare cyber incident in American history. The attack paralyzed healthcare payment processing across the United States for weeks, prevented pharmacies from filling prescriptions, delayed insurance claims for months, and ultimately exposed the personal health information of over 100 million Americans.
The attack was carried out by the ALPHV/BlackCat ransomware group. UnitedHealth Group CEO Andrew Witty confirmed to Congress that the company paid a $22 million ransom. The attackers had gained initial access through a Citrix remote access portal that lacked multi-factor authentication.
The Scale of Change Healthcare
To understand the magnitude of this breach, you need to understand what Change Healthcare does. The company serves as critical infrastructure for the American healthcare system. It processes insurance eligibility checks, claims submissions, payment processing, and prescription transactions for hospitals, pharmacies, physicians, and insurers nationwide.
Change Healthcare handles approximately 50% of all medical claims in the United States. When it went offline, the ripple effect was immediate and devastating:
- Pharmacies could not verify insurance coverage and began turning patients away or requiring cash payment
- Hospitals could not submit claims, creating a cash flow crisis that threatened the solvency of smaller providers
- Insurance eligibility checks failed, leaving patients unable to confirm their coverage
- Prior authorization requests could not be processed, delaying treatments
- Electronic prescriptions could not be transmitted to pharmacies
The American Hospital Association called it "the most significant and consequential incident of its kind against the U.S. health care system in history."
The Attack Chain
UnitedHealth Group CEO Andrew Witty provided detailed testimony about the attack to Congressional committees in April and May 2024. The attack chain was disturbingly straightforward:
Initial access: The attackers used stolen credentials to log into a Citrix remote access portal on Change Healthcare's network. The portal did not require multi-factor authentication. Witty testified that the company had been in the process of implementing MFA across all external-facing systems but had not yet completed the rollout for this particular portal.
Lateral movement: Once inside, the attackers spent approximately nine days moving laterally through Change Healthcare's network, escalating privileges and mapping the environment. During this period, they located and exfiltrated approximately 6 terabytes of data.
Ransomware deployment: On February 21, the attackers deployed the ALPHV/BlackCat ransomware, encrypting systems across Change Healthcare's infrastructure and rendering the payment processing platform inoperable.
The nine-day dwell time before encryption meant the attackers had ample time to identify and steal the most sensitive data in the environment. The 6 terabytes of exfiltrated data included a staggering breadth of personal health information.
The Data Breach
The compromised data, which UnitedHealth disclosed affected approximately 100 million individuals, included:
- Names, addresses, dates of birth, phone numbers
- Social Security numbers
- Health insurance information including plan details and member IDs
- Medical information including diagnoses, treatments, and test results
- Billing and claims information
- Financial and banking information used for claims processing
For context, the U.S. population is approximately 330 million. The Change Healthcare breach compromised the health data of roughly one in three Americans. It surpassed the previous largest healthcare breach, the Anthem breach of 2015 (78.8 million records), by a wide margin.
The Ransom Payment Saga
The ransom situation was unusually convoluted. UnitedHealth paid $22 million in Bitcoin to the ALPHV/BlackCat group. But instead of splitting the payment with the affiliate who carried out the attack, the ALPHV/BlackCat operators allegedly performed an exit scam, taking the full payment and shutting down their infrastructure.
The affiliate who conducted the attack, left without their share, then threatened to release the stolen data anyway. They resurfaced under a new ransomware operation called RansomHub and posted samples of the stolen data, effectively extorting UnitedHealth a second time.
This double-extortion debacle was a worst-case scenario. UnitedHealth paid $22 million and got nothing in return. The data was still in the hands of attackers who had every incentive to monetize it. The situation demonstrated the fundamental unreliability of ransomware negotiations and the futility of expecting honor among thieves.
Congressional Scrutiny
The scale of the breach drew intense Congressional attention. UnitedHealth Group CEO Andrew Witty was called to testify before both the Senate Finance Committee and the House Energy and Commerce Committee.
Key revelations from the testimony:
- The Citrix portal lacking MFA was a known gap that was being addressed but had not been completed
- Change Healthcare's systems had not been fully integrated into UnitedHealth's security infrastructure following the 2022 acquisition
- The $22 million ransom payment was authorized by Witty personally
- UnitedHealth spent over $1.6 billion on response costs in the first six months after the attack
Senators and Representatives from both parties criticized UnitedHealth for what they characterized as basic security failures at a company processing healthcare data for a third of the country. The incident renewed calls for mandatory cybersecurity standards in healthcare.
Impact on Healthcare Providers
The operational impact on healthcare providers was severe and prolonged. Small and medium-sized healthcare practices were hit hardest because they often lack the cash reserves to survive extended disruptions in claims payment.
The American Medical Association surveyed practices in the aftermath and found:
- 80% of practices reported lost revenue due to the outage
- 55% had to use personal funds to cover practice expenses
- 36% reported suspended claims payments
- Some practices reported being unable to make payroll
UnitedHealth established a temporary financial assistance program, providing accelerated payments and interest-free loans to affected providers. But the program was criticized as insufficient, and smaller practices that were already operating on thin margins faced existential financial pressure.
The incident exposed the dangerous concentration in healthcare payment processing. Change Healthcare's dominance meant that a single point of failure could cascade across the entire healthcare system. There was no fallback processing pathway for the majority of affected transactions.
The MFA Lesson, Again
The initial access vector, a Citrix portal without MFA, was a painfully familiar failure. The same basic security control gap has been responsible for countless breaches, including the Change Healthcare incident, the MGM Resorts attack, and numerous others.
What made this case particularly galling was that UnitedHealth Group is one of the largest companies in the world, with revenue exceeding $370 billion and a substantial cybersecurity budget. The company knew that MFA was required and was in the process of deploying it. But the deployment was not complete, and the attackers found the gap before the project finished.
This is not a technology problem. FIDO2 security keys, authenticator apps, and other MFA technologies are mature, widely available, and relatively inexpensive. The problem is organizational: the discipline to ensure that every single external-facing access point is protected, with no exceptions, no gaps, and no systems that are "in progress" but not yet covered.
Regulatory Aftermath
The breach accelerated regulatory action on healthcare cybersecurity:
- HHS proposed updates to HIPAA security rules requiring specific technical controls including MFA
- Congressional bills were introduced to mandate minimum cybersecurity standards for healthcare organizations processing certain volumes of data
- The FTC investigated UnitedHealth's data protection practices
- Multiple state attorneys general opened investigations
The Change Healthcare breach may ultimately be the catalyst for the healthcare industry's long-overdue cybersecurity reckoning.
How Safeguard.sh Helps
The Change Healthcare breach demonstrates what happens when critical infrastructure lacks basic security visibility and controls. Safeguard.sh helps organizations prevent this category of failure:
- Complete infrastructure inventory ensures you know every external-facing access point, application, and service in your environment, eliminating the "we didn't know that portal existed" problem that enabled this breach.
- Security configuration monitoring verifies that deployed software meets security requirements like MFA enforcement, alerting you when gaps exist before attackers find them.
- Vulnerability management correlates your software inventory against known vulnerabilities in real-time, prioritizing the issues that represent actual exploitable risk in your environment.
- Supply chain risk assessment evaluates concentration risk in your vendor dependencies, helping you identify single points of failure like Change Healthcare before a disruption reveals them catastrophically.
One hundred million Americans had their health data exposed because a single Citrix portal lacked multi-factor authentication. Safeguard.sh ensures that no component in your software supply chain goes unmonitored or unsecured.