A ransomware attack on a UnitedHealth subsidiary ground the US healthcare payment system to a halt, left pharmacies unable to fill prescriptions for weeks, and resulted in a $22 million ransom payment — only for the attackers to demand more.
In late February 2024, a ransomware attack on a company called Change Healthcare quietly began to shut down pharmacies across the United States. Not by locking their doors or disrupting their physical operations — but by making it impossible for them to process insurance claims. Patients who arrived to pick up prescriptions found themselves turned away or asked to pay full price out of pocket for medications they couldn't afford. Cancer patients couldn't get chemotherapy authorisations. People with chronic conditions ran out of medication. Hospitals couldn't confirm whether procedures were covered.
For a company most Americans had never heard of, Change Healthcare turned out to be the load-bearing infrastructure of the entire US healthcare payment system. And when it went down, the consequences were immediate and human in a way that most cyber attacks are not.
Change Healthcare is a subsidiary of UnitedHealth Group, one of the largest health insurance companies in the United States. Before UnitedHealth acquired it, Change Healthcare was an independent healthcare technology company — and it had spent years building what became an enormous position in the plumbing of US healthcare billing.
The company processes approximately 15 billion healthcare transactions per year. Nearly every time a doctor, pharmacist, or hospital files an insurance claim in the United States, there's a reasonable chance that transaction flows through Change Healthcare's systems at some point. The company acts as a clearinghouse: it receives electronic claims from providers, routes them to the appropriate insurance company for payment adjudication, and handles the flow of information and funds back to providers.
This kind of infrastructure doesn't make the news on a good day. It's exactly the sort of essential, invisible plumbing that people only notice when it stops working. When Change Healthcare's systems went offline in February 2024, it stopped working for the entire US healthcare system simultaneously.
The ransomware group behind the attack was ALPHV, also known as BlackCat — one of the most sophisticated and prolific ransomware operations of recent years. ALPHV/BlackCat is a ransomware-as-a-service operation, meaning it provides ransomware tools and infrastructure to affiliated criminal hackers ("affiliates") who carry out the actual attacks and split the proceeds. The affiliate responsible for the Change Healthcare attack reportedly gained initial access using stolen login credentials for a remote access tool — specifically, a Citrix portal that allowed employees to connect to Change Healthcare systems remotely.
Critically, that Citrix portal was not protected by multi-factor authentication. As we've seen in many high-profile breaches — including the Scattered Spider attacks on MGM Resorts — the absence of multi-factor authentication on remote access systems is one of the most reliable pathways for attackers into enterprise networks. If an attacker has a valid username and password, and there's no second factor required, they're in.
From that initial access point, the attackers moved laterally through Change Healthcare's network over a period of approximately nine days, mapping the environment, identifying valuable systems, and positioning themselves before deploying their ransomware payload. When they finally triggered the encryption on February 21, 2024, they encrypted systems across Change Healthcare's infrastructure simultaneously.
The company had no choice but to take virtually all of its systems offline to contain the spread. The impact was immediate.
What followed was one of the most visible demonstrations of how ransomware attacks on digital infrastructure translate into physical harm to real people.
Small pharmacies were the first to feel it acutely. Many independent pharmacies operate on thin margins and depend entirely on insurance reimbursements. When they couldn't submit claims, they couldn't get paid. Some began offering interest-free payment plans to patients; others dipped into lines of credit. The American Pharmacists Association reported that many small pharmacies were at risk of closing permanently if the outage continued.
The specific human consequences that emerged in the weeks following the attack were stark:
A cancer patient in Texas was denied authorisation for chemotherapy because her oncologist couldn't submit prior authorisation requests through the normal electronic channel. She spent days on the phone with her insurer before alternative arrangements were made.
Dialysis centres, which treat patients who need kidney dialysis multiple times per week to survive, struggled to confirm coverage and submit claims. Some patients were asked to self-pay — costs that could run to thousands of dollars per session.
Psychiatrists reported being unable to fill prescriptions for controlled substances — antidepressants, mood stabilisers, ADHD medications — because pharmacies couldn't verify coverage and were unwilling to dispense without confirmation.
Hospitals, which operate with complex insurance billing processes, faced mounting administrative backlogs as claims piled up without the systems to process them. Several major health systems reported cash flow problems within weeks of the attack, as the flow of insurance payments — which fund payroll and operations — dried up.
The Department of Health and Human Services acknowledged the severity of the situation, issuing guidance to insurance companies asking them to make advance payments to providers and relax prior authorisation requirements. But guidance doesn't automatically translate into action, and the healthcare system's ability to improvise around the failure of its central payment infrastructure was limited.
In early March 2024, approximately $22 million worth of Bitcoin moved to a cryptocurrency wallet associated with the ALPHV/BlackCat ransomware group. The transfer was noted by blockchain analytics researchers. UnitedHealth Group never officially confirmed whether it made this payment, but the evidence strongly suggested that it had.
The payment was, in one sense, understandable. Change Healthcare's systems were down, the human cost was mounting daily, and the company had enormous financial resources — UnitedHealth Group had revenues of over $370 billion in 2023. The ransom, while enormous by most standards, was a relatively small fraction of the daily losses caused by the outage.
But what happened next illustrated one of the most cynical dynamics in the ransomware ecosystem.
After receiving the $22 million, the ALPHV/BlackCat operation apparently shut down or went dark — taking the money without fully delivering on whatever promises had been made to the affiliate who carried out the attack. That affiliate, who had done the actual work of breaking into Change Healthcare's systems, had not received their cut. And they still had the data.
Approximately a month after the initial attack, a different ransomware group called RansomHub contacted UnitedHealth Group. RansomHub claimed to have obtained the data exfiltrated from Change Healthcare during the attack — apparently from the ALPHV affiliate who felt they'd been cheated out of their share of the ransom — and threatened to publish it unless they received payment.
This represented a new twist on an already brutal dynamic: Change Healthcare had potentially paid once and was now facing a second extortion attempt by different actors, over the same stolen data.
UnitedHealth Group confirmed in April 2024 that a "substantial proportion" of Americans' health data had been stolen in the breach. The company estimated that the compromised data covered potentially one third of all Americans — meaning the personal health information of over 100 million people may have been exposed. This included names, addresses, dates of birth, phone numbers, insurance information, medical record numbers, diagnoses, medications, billing codes, and, in some cases, Social Security numbers and financial details.
The scope of the health data involved made this arguably the largest breach of protected health information in US history, surpassing even the 2015 Anthem Health breach which affected 78 million people.
UnitedHealth Group's financial disclosures through the rest of 2024 gave some indication of the economic damage. The company estimated direct costs from the attack — including ransom considerations, remediation, and provider assistance programmes — at over $872 million in the first quarter alone. The full-year impact was estimated at over $1.6 billion.
The company established a temporary loan programme for healthcare providers affected by the outage, making available billions of dollars in advances to keep pharmacies and providers afloat while normal payment processing was restored. Restoration of full functionality took months — some systems were back within weeks; others took significantly longer.
Congressional hearings followed. UnitedHealth Group CEO Andrew Witty testified before the Senate Finance Committee and the House Energy and Commerce Committee. He confirmed that the company had paid the ransom, making him the first major healthcare executive to publicly confirm a ransomware payment in congressional testimony. He also acknowledged that multi-factor authentication had not been enabled on the Citrix portal used as the entry point — a basic security failure for a company handling the health data of a third of the American population.
The Change Healthcare attack forced a reckoning with the security posture of healthcare technology companies — particularly those that have grown, through acquisition and market consolidation, into systemically important infrastructure.
The US healthcare system was not designed with cybersecurity centralisation in mind. The consolidation of payment processing through a relatively small number of clearinghouses created enormous efficiency. It also created enormous fragility. When a single company processes 15 billion transactions a year, an attack on that company doesn't just hurt that company. It hurts every provider and every patient connected to it.
The healthcare sector has historically been one of the most-targeted industries for ransomware, for a combination of reasons: healthcare organisations often run older systems that are expensive and operationally risky to update; they hold extremely sensitive data with high black-market value; and the life-or-death nature of healthcare operations creates enormous pressure to pay ransoms quickly and avoid lengthy outages.
But Change Healthcare was not a regional hospital with a small IT budget. It was a subsidiary of one of the world's largest corporations, with resources that should have enabled industry-leading security practices. The failure to implement multi-factor authentication on a remote access portal — a control that has been considered a basic security requirement for over a decade — was not a resource problem. It was a priority problem.
The attack is a reminder that no sector of the economy is too important to be targeted. Critical infrastructure status doesn't provide protection. If anything, it raises the stakes of compromise and makes victim organisations more likely to pay.
If you received a notification from a healthcare provider, insurer, or Change Healthcare itself about potential exposure of your health data, the steps below are worth taking.
Health data breaches are distinct from financial data breaches in important ways. The financial risks are still present — Social Security numbers exposed in healthcare breaches can be used for tax fraud, credit fraud, and identity theft. But the exposure of medical information creates additional risks, including potential medical identity theft (where someone uses your insurance to receive medical care in your name, creating false records in your file) and the deeply personal privacy implications of your diagnoses or medications becoming known to others.
Request a free credit freeze from all three major bureaus — Equifax, Experian, and TransUnion. This prevents new credit being opened in your name.
Monitor your explanation of benefits statements from your health insurer carefully. If you receive a statement for a procedure you didn't have, at a facility you didn't visit, that's a sign of medical identity theft. Report it to your insurer immediately.
Request a copy of your medical records from major providers annually, and check them for procedures or prescriptions you don't recognise. In the US, you have a legal right to these records.
Be vigilant about health-related phishing, particularly any communications claiming to be from UnitedHealth Group, Change Healthcare, or your health insurer that request personal information or direct you to login pages.
The Change Healthcare attack was an inflection point in the ransomware era — a moment when the abstraction between "cyber attack" and "human harm" collapsed completely. People were denied medication. Surgeries were delayed. Lives were disrupted in ways that will never be fully counted in any damage assessment. The lesson is not simply that healthcare companies need better security — though they do. It's that the consolidation of critical digital infrastructure creates single points of failure whose consequences, when they materialise, extend far beyond the organisations involved.
References:
A single SQL injection vulnerability in a piece of file-transfer software triggered a cascading breach that hit more than 2,600 organisations worldwide, exposing data from US government agencies, British Airways, the BBC, pension funds, and tens of millions of ordinary people.
In May 2021, a ransomware attack shut down the largest fuel pipeline in the United States, triggering fuel shortages across the East Coast. The entry point: one password, leaked from a breached account, sitting on the dark web.
In September 2023, a group of young hackers armed with nothing more than a phone and a convincing story brought one of the world's largest casino companies to its knees. This is what happened inside the MGM Resorts cyberattack.
