Change Healthcare Attack

Summary

The 2024 Change Healthcare ransomware attack, attributed to the ALPHV/BlackCat group, crippled healthcare operations across the US. The attack resulted in data exfiltration impacting up to 190 million individuals and caused significant financial and operational disruption. This incident underscores the vulnerability of the healthcare sector to cyberattacks and the need for enhanced cybersecurity measures.

Explore the data solution with built-in protection against ransomware TrueNAS.

** Main Story**

The 2024 Change Healthcare ransomware attack sent shockwaves throughout the US healthcare system. This incident, attributed to the ALPHV/BlackCat ransomware group, significantly disrupted operations and exposed the sensitive data of millions of Americans. Here’s an in-depth look at the attack, its impact, and the lessons learned.

The Attack Unfolds

On February 21, 2024, Change Healthcare, a major healthcare technology provider and subsidiary of UnitedHealth Group, discovered a ransomware attack within its systems. The ALPHV/BlackCat group, a notorious Russian ransomware operation, later claimed responsibility. The attackers exploited a vulnerability in Change Healthcare’s network, spending nine days infiltrating systems and exfiltrating data before deploying the ransomware. This attack encrypted crucial files, crippling many of Change Healthcare’s services, which are integral to the US healthcare system. These services include claims processing, benefits verification, and prior authorization—functions upon which countless medical facilities, physicians, and pharmacies depend.

Widespread Impact and Ransom Payment

The attack’s consequences were immediate and far-reaching. Healthcare providers across the nation experienced major disruptions to their revenue cycles as claims processing ground to a halt. Patient care also suffered, with delays in authorizations for essential medical services. An American Hospital Association survey revealed the extent of the damage: 74% of hospitals reported a direct impact on patient care, 94% reported financial impacts, and 60% needed weeks or even months to resume normal operations. Financially, the attack cost UnitedHealth Group between \$1.35 billion and \$1.6 billion, and \$6 billion in advanced funding and loans were funneled to affected healthcare providers. In a controversial move, Change Healthcare paid a ransom of \$22 million in Bitcoin to the attackers. However, this proved to be a costly mistake, as the ALPHV/BlackCat group pulled an “exit scam,” vanishing without returning the stolen data and leading to potential involvement of another ransomware group named RansomHub.

Data Breach and Ongoing Notifications

The attack was not limited to operational disruption. The attackers also stole a massive trove of sensitive data, including names, contact information, dates of birth, social security numbers, and medical information. Initially estimated to affect 100 million individuals, the final number of those impacted reached a staggering 190 million, making it the largest healthcare data breach in history. This data was offered for sale online starting in April 2024, and affected individuals only began receiving notifications in late July of the same year.

The Fallout and Lessons Learned

The Change Healthcare attack serves as a stark reminder of the vulnerability of the healthcare sector to cyberattacks. It exposed critical weaknesses in cybersecurity defenses and highlighted the devastating consequences of such incidents.

• The Importance of Cybersecurity Preparedness: The attack underscored the need for robust cybersecurity measures, including regular security assessments, employee training, and incident response plans.
• The Risk of Third-Party Vendors: The incident showed how attacks on third-party vendors can have cascading effects throughout the healthcare system, emphasizing the need for due diligence in vendor selection and oversight.
• The Challenges of Ransom Payments: Change Healthcare’s experience demonstrates the pitfalls of paying ransoms, as it does not guarantee data recovery and can embolden attackers.

The Change Healthcare attack remains a significant event in healthcare cybersecurity history. Its impact continues to be felt today as the industry grapples with its consequences and works to strengthen its defenses against future attacks. As of June 22, 2025, this information is current, but the situation and understanding of the attack may evolve over time.