A ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG), has triggered one of the most consequential disruptions ever recorded in the U.S. healthcare sector. First detected on February 21, 2024, the intrusion forced the company to pull systems offline, cutting pharmacies, hospitals, and insurers off from a platform that processes roughly 15 billion healthcare transactions annually. The BlackCat (ALPHV) ransomware group claimed responsibility, allegedly exfiltrating 6 terabytes of sensitive data, with reports indicating a $22 million payment was made to the operators.
What Happened
On detection of the intrusion, Change Healthcare took critical platforms offline to contain the spread, severing the connective tissue between providers, payers, and pharmacy networks across the country. The outage rippled outward almost immediately: pharmacies could not validate insurance benefits, providers could not submit claims, and patients faced delayed or denied care while emergency cash-flow workarounds were stood up. The U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) opened investigations into the breach. UHG has not officially confirmed a ransom payment, but multiple reports place the figure at $22 million, ranking it among the largest known ransomware payouts to date.
What Was Taken
BlackCat operators claim to have exfiltrated approximately 6 terabytes of data prior to encryption. The dataset reportedly includes:
- Patient records and protected health information (PHI)
- Insurance and benefits details
- Billing and claims data
- Personally identifiable information (PII) tied to patients nationwide
Given Change Healthcare's role as a clearinghouse for a substantial share of U.S. medical transactions, the exposed population spans pharmacies, hospitals, insurers, and patients across all 50 states. Sensitivity is rated high: the data combines identity, financial, and clinical attributes, an unusually toxic mix for downstream fraud, extortion, and identity theft.
Why It Matters
Change Healthcare sits at a chokepoint in the U.S. medical economy. When its rails go dark, the consequences are not abstract: prescriptions are delayed, providers cannot bill, and patient care is materially affected. This incident is a strategic case study in third-party concentration risk, where a single vendor compromise translates into nationwide operational impact. For defenders, the takeaway is that ransomware against healthcare clearinghouses is now a patient safety issue, not just an IT or compliance concern. The attack also reinforces that double-extortion playbooks remain highly profitable when the victim cannot tolerate sustained downtime.
The Attack Technique
The intrusion has been publicly attributed to the BlackCat (ALPHV) ransomware-as-a-service operation, a Rust-based program known for double extortion, aggressive negotiation tactics, and affiliate-driven targeting. While the precise initial access vector for the Change Healthcare event has not been formally disclosed, BlackCat affiliates have historically leaned on stolen credentials, exploitation of edge devices and remote access services, and abuse of unpatched perimeter appliances. Once inside, affiliates typically perform credential harvesting, lateral movement via remote management tooling, mass exfiltration of file shares, and synchronized deployment of the encryptor across hypervisors and Windows estates. The combination of bulk exfiltration (6 TB) and full encryption is consistent with BlackCat's standard tradecraft.
What Organizations Should Do
- Map third-party concentration risk: identify vendors whose outage would halt core operations and build manual fallback procedures for claims, prescriptions, and payments.
- Harden identity and remote access: enforce phishing-resistant MFA on VPNs, RMM, and admin portals, and continuously audit for stale or over-privileged accounts.
- Segment clinical and financial systems: limit east-west movement so a clearinghouse or back-office compromise cannot cascade into care-delivery systems.
- Hunt for BlackCat/ALPHV indicators: monitor for known affiliate tooling, suspicious Rust binaries, and abnormal bulk outbound transfers to cloud storage providers.
- Test offline backups and recovery: validate that clinical, billing, and pharmacy systems can be restored from immutable backups within defined RTOs.
- Pre-approve incident playbooks with HHS, CISA, and counsel: include ransom decisioning, breach notification timelines under HIPAA, and patient safety communications.