Change Healthcare ransomware (ALPHV/BlackCat)
ALPHV/BlackCat compromised Change Healthcare via Citrix portal lacking MFA, paralyzed U.S. prescription claims for weeks, and exfiltrated data on an estimated 100 million people.
- Victim
- Change Healthcare (UnitedHealth Group)
- Loss
- $2.87B
- records
- 100.0M
- users
- 100.0M
In February 2024, ALPHV/BlackCat operators compromised Change Healthcare, a UnitedHealth Group subsidiary that processes more than a third of U.S. health-claim transactions. The attackers entered through a Citrix remote-access portal that had no multi-factor authentication, used stolen credentials, and dwelled in the network for nine days before detonating their ransomware payload on 21 February 2024.
What happened
Change Healthcare took its systems offline immediately, but the operational blast radius was enormous: pharmacies across the United States could not verify insurance coverage, hospitals struggled to bill Medicare and private insurers, and small clinics ran out of cash. The disruption lasted weeks.
On 3 March 2024, blockchain analysts identified a bitcoin transfer of about 22 million USD to an ALPHV-affiliated wallet โ widely interpreted as the ransom payment. ALPHV's operators then exit-scammed their own affiliate, who in turn leaked the stolen data and launched a second extortion attempt under the RansomHub brand.
Impact
- Estimated 100 million individuals had personal and health information stolen โ the largest U.S. healthcare data breach on record.
- Total incident cost to UnitedHealth Group: over $2.87 billion.
- Pharmacies, hospitals, and federal Medicare claims processing disrupted for weeks; HHS made emergency advance payments to providers.
- Triggered congressional hearings on healthcare cybersecurity and the resilience of consolidated payment infrastructure.
Why it matters
A single un-MFA'd remote-access portal at one billing intermediary brought a meaningful share of the U.S. healthcare system to a halt. The incident is now a reference case for third-party concentration risk in critical infrastructure โ and for why MFA on every external-facing portal is not optional.
Financial impact
Reported costs in USD
- Ransom paid$22.0M
- Business loss$2.40B
- Remediation$280.0M
- Fines & settlements$170.0M
Timeline
ALPHV/BlackCat actors gain access to Change Healthcare via a Citrix portal that lacked multi-factor authentication.
Change Healthcare detects the intrusion and takes systems offline, halting prescription claims processing across the U.S.
A bitcoin transfer of approximately $22 million is reported to a wallet associated with ALPHV.
UnitedHealth Group confirms that personal and health information of a substantial proportion of Americans was stolen.
A second extortion attempt is launched by RansomHub, claiming to hold the same data.
UnitedHealth CEO testifies before Congress; total cost projected at over $2.4 billion.
HHS confirms an estimated 100 million individuals were affected โ the largest U.S. healthcare data breach on record.
Sources
- unitedhealthgroup.comhttps://www.unitedhealthgroup.com/newsroom/2024/2024-04-22-uhg-update-cyberattack.html
- hhs.govhttps://www.hhs.gov/about/news/2024/03/05/letter-to-health-care-leaders-cyberattack-change-healthcare.html
- reuters.comhttps://www.reuters.com/business/healthcare-pharmaceuticals/change-healthcare-hack-impacts-an-estimated-100-million-individuals-us-says-2024-10-24/