Change Healthcare — ALPHV/BlackCat ransomware

On 21 February 2024, Change Healthcare — a UnitedHealth Group subsidiary that operates the largest US healthcare-claims clearinghouse, processing approximately one in three US healthcare transactions — was struck by ransomware that encrypted critical systems and forced the company to take its services offline. The disruption immediately rippled across pharmacies, hospitals, physician practices and insurers nationwide: prescriptions could not be processed at the till for weeks, providers could not submit claims for payment, and small healthcare practices reported being unable to make payroll. The American Hospital Association called it “the most significant cyberattack on the US healthcare system in American history”.

The intrusion was attributed to ALPHV/BlackCat, a Russian-speaking ransomware-as-a-service operation. The entry point was traced to a Citrix portal that did not have multi-factor authentication enabled — exploiting credentials that had been used to access the portal — and the attackers spent approximately nine days inside the network before deploying the ransomware. UnitedHealth Group CEO Andrew Witty subsequently testified to Congress that the company had paid a $22 million ransom in Bitcoin to ALPHV. Within hours of the payment, the ALPHV affiliate that had executed the attack accused the ALPHV operators of stealing the affiliate’s share of the ransom in an “exit scam”; the affiliate then leaked some of the stolen Change Healthcare data to a successor leak site, RansomHub, and demanded a second ransom. UnitedHealth subsequently confirmed that personal data on approximately 190 million individuals had been exfiltrated — effectively the medical records of more than half the US population.

The financial cost reached an estimated $2.45 billion in 2024 disclosures, plus continuing remediation, customer-support, and litigation expenditure. UnitedHealth advanced approximately $9 billion in interest-free loans to affected providers to bridge the cash-flow gap during the outage. The HHS Office for Civil Rights opened an investigation under HIPAA; the FTC and several state attorneys-general opened parallel reviews. Congressional hearings produced bipartisan calls for stronger sector-specific cyber regulation in healthcare.

Defender takeaway: the entry vector — Citrix portal without MFA — is the same control gap that has produced major incidents in roughly every sector for the past five years. The deeper lesson is concentration risk in shared services. Change Healthcare processes one in three US healthcare transactions because the US healthcare system has consolidated around a small number of clearinghouses for cost-efficiency. The cyber resilience of the entire downstream healthcare delivery system depends, in practice, on the cyber resilience of those clearinghouses. Federal regulators have signalled that critical-third-party-services frameworks similar to those applied to financial-services market infrastructure are likely to follow.