The Change Healthcare ransomware attack exposed severe cybersecurity vulnerabilities in the U.S. healthcare system.
Despite being one of the largest and most influential IT providers in the industry, Change Healthcare failed to implement basic security controls, leading to an unprecedented breach that impacted millions of U.S. citizens.
Change Healthcare experienced a sudden system outage that stopped critical billing and insurance processing. The disruption affected healthcare providers and pharmacies across the U.S.
Upon investigation, Change Healthcare confirmed that it was dealing with a cyber security issue. It activated its security protocols to isolate the intruders. The decision caused widespread outages across the sector, with insurance claims and medical billing systems coming to a standstill. The company later confirmed that the hackers infiltrated its network around February 12, 2024.
UnitedHealth, which owns Change Healthcare, initially speculated that the attack was the work of a state-sponsored actor. However, on February 29, the company announced that the breach was carried out by the ALPHV/BlackCat ransomware gang, a notorious Russian-speaking cybercriminal group.
ALPHV/BlackCat’s dark website claims responsibility for the breach, indicating that it stole sensitive medical data from millions of Americans, including health records, patient diagnoses, and treatment plans.
UnitedHealth confirmed that it paid a $22 million ransom to the hackers to regain control over its data. However, within days, ALPHV disappeared from its dark web leak site, which was replaced by a fake law enforcement seizure notice.
The FBI and U.K. authorities later denied any involvement in taking down the site, leading to speculation that the cybercriminals conducted an "exit scam," taking the ransom money and vanishing. Despite receiving the ransom, the hackers claimed they still possessed the stolen data.
As the breach continued to affect the healthcare sector, major disruptions persist. Healthcare providers, pharmacies, and insurance systems remained inactive, causing patients to struggle with prescription fulfillment and claims processing. In response, TriCare, the military health insurance provider, announced that its pharmacies worldwide were affected.
The American Medical Association expressed frustration with the lack of communication from Change Healthcare and UnitedHealth about the breach scale and progress.
The U.S. government offers a $10 million reward for information leading to the identification or capture of the gang’s leadership and affiliates.
An affiliate of ALPHV, angered by the apparent betrayal of its leaders who absconded with the ransom, formed a new ransomware gang called RansomHub. The new group continued to hold the stolen data and demanded a second ransom payment from UnitedHealth.
RansomHub published some of the stolen health data, adding pressure on UnitedHealth to comply.
UnitedHealth publicly acknowledged the full scale of the breach, revealing for the first time that the attack affected a substantial portion of the U.S. population. The company confirmed that the stolen data includes sensitive medical records, like diagnoses, medications, test results, treatment plans, and financial information.
Given the breadth of Change Healthcare’s operations, it was estimated that the number of affected individuals will likely exceed 100 million.
During a testimony before the Senate Finance Committee, UnitedHealth CEO Andrew Witty admitted that the breach could have been prevented.
Witty revealed that the hackers initially gained access to Change Healthcare’s network by exploiting a weak password associated with a low-level customer support employee’s account. More specifically, the account lacked a basic security feature called multi-factor authentication (MFA).
Change Healthcare started notifying healthcare providers and publicly disclosed the breach. The company indicated that it is in the process of identifying and notifying affected individuals, but given the complexity and volume of the stolen data, the process is expected to take months.
The company also urged healthcare providers to assist with the notifications, particularly those with limited resources.
Change Healthcare began sending formal breach notification letters to affected individuals. These letters confirm what data was stolen and outline the company’s plans to mitigate the damage.
UnitedHealth updated its estimate of affected individuals to over 100 million, marking the breach as one of the largest healthcare data thefts in U.S. history.
The state of Nebraska filed a lawsuit against Change Healthcare, accusing the company of failing to adequately protect sensitive data. New details revealed in the lawsuit show that the initial breach occurred through the use of stolen credentials from a low-level employee and that the company’s poorly segmented IT systems allowed the hackers to move freely through the network.
Change Healthcare, in partnership with UnitedHealth, confirmed that the breach now impacts 190 million people in the United States, making it one of the largest digital thefts of medical records ever recorded.
Going deeper: The Change Healthcare attack
Ransomware is malicious software that encrypts a victim's data, with attackers demanding payment to restore access or prevent data leaks.
Affected individuals must monitor their financial accounts, change passwords, and use the identity theft protection services offered by Change Healthcare.
They can adopt measures like multi-factor authentication, regular audits, employee training, and advanced encryption methods to protect patient data.
Learn more: HIPAA Compliant Email: The Definitive Guide