Nine months after a ransomware attack by ALPHV/BlackCat crippled its operations and exposed data on 100 million people, Change Healthcare has restored its clearinghouse services. While most functions are now back online, the incident’s financial and security fallout continues to impact the US healthcare system.
Nearly nine months after an enormous ransomware attack by ALPHV/BlackCat, Change Healthcare has announced that its clearinghouse services—the largest in the United States—are back online. The company confirmed the restoration in an update to its website status page, marking a significant step in its recovery from the February cyberattack.
See also: Recovering from a cyberattack
The February 2024 ransomware attack on Change Healthcare was a wake-up call for the healthcare sector, exposing systemic vulnerabilities in a critical infrastructure player. Responsible for processing approximately 15 billion transactions annually, Change Healthcare acts as the backbone for financial and operational processes across the US healthcare system. The attack not only disrupted these services but also exposed sensitive data, affecting 100 million people—nearly a third of the US population.
The breach was orchestrated by the notorious ALPHV/BlackCat ransomware group, which exploited a glaring security gap: stolen credentials were used to access a Citrix portal that lacked multi-factor authentication (MFA). Once inside, the attackers navigated an inadequately segmented network, gaining access to troves of sensitive information, including patient names, banking details, email addresses, and medical claims data.
Read more: Health systems still missing payments from Change Healthcare cyberattack
Security experts have harshly criticized the company's vulnerabilities, with Tom Kellermann, SVP of cyber strategy at Contrast Security, labeling the lapses "egregious negligence." He remarked: "I'm blown away by the fact that they weren't using multi-factor authentication. I'm blown away that the networks weren't segmented. And I'm blown away that they didn't conduct threat hunting robustly into that environment knowing that they had been compromised."
UnitedHealth CEO Andrew Witty faced congressional scrutiny over the company’s decision to pay $22 million in ransom to the attackers. He defended the move, calling it "one of the hardest decisions I've ever had to make."
The restoration of clearinghouse services signals progress, but Change Healthcare’s recovery is far from complete. The attack’s financial, operational, and reputational costs reveal gaps in cybersecurity preparedness within the healthcare sector. Moving forward, stakeholders must prioritize robust security measures, such as multi-factor authentication and network segmentation, to prevent similar incidents.
See also: HIPAA Compliant Email: The Definitive Guide
The recovery timeline varies based on the extent of the attack, the affected systems, and the organization's preparedness. While some systems can be partially restored within days or weeks, full recovery—including data integrity checks, system audits, and operational functionality—can take months, as seen in Change Healthcare's nine-month recovery for its clearinghouse services.
Organizations typically prioritize systems based on their criticality to operations. Essential services like payment processing, healthcare record management, or customer communication channels are restored first to minimize disruption.
Backups are crucial for restoring systems and data to their pre-attack state. Businesses should maintain regular, secure, and offline backups to avoid dependency on compromised systems or ransom payments.