Change Healthcare is not a name that appeared in most people's daily lives, but it occupied a position in the U.S. healthcare infrastructure that made it extraordinarily consequential as a target. As a subsidiary of UnitedHealth Group's Optum division, it served as the clearinghouse connecting 1.6 million health professionals, 70,000 pharmacies, and 8,000 healthcare facilities to the insurance billing and claims processing systems that kept the revenue cycle of American medicine running. When Change Healthcare went down, healthcare providers across the country lost the ability to submit claims, verify patient eligibility, process prescriptions, and receive payments. Every hospital in the country felt the impact, either directly or indirectly.
The vulnerability that allowed this to happen was not sophisticated. It was a missing checkbox on a remote access configuration screen.
How It Happened: The Attack From Entry to Encryption
The ALPHV/BlackCat affiliate — later identified publicly by their forum handle "Notchy" — gained access to Change Healthcare's network on February 12, 2024, using stolen credentials for a low-level customer support employee's account. Those credentials had been posted in a Telegram group known for trading stolen access. The application they used to log in was a Citrix portal that provided remote desktop access to internal systems. It had no multi-factor authentication enabled.
This detail would become one of the most referenced facts in the congressional hearings that followed. UnitedHealth Group CEO Andrew Witty confirmed it directly under oath: the compromised system lacked MFA, a basic security control that represents standard practice across essentially every industry handling sensitive data. Oregon Senator Ron Wyden summarized it bluntly in his public commentary: "This hack could have been stopped with cybersecurity 101."
Once inside via the Citrix portal, the affiliate spent nine days moving laterally through Change Healthcare's network, mapping the environment, escalating privileges, and exfiltrating data before deploying ransomware. During that dwell period — February 12 through February 21 — the attacker moved through internal systems without triggering detection. The forensic investigation later confirmed that unauthorized access ran from February 17 to February 20, though initial access had occurred on the 12th. The affiliate exfiltrated approximately 6 TB of data encompassing health insurance member records, patient diagnoses and treatment information, test results, Social Security numbers, financial records, insurance policy details, and data relating to active U.S. military personnel.
On February 21, the ransomware was deployed. Change Healthcare's systems were encrypted. The outage began immediately.
The single point of failure was the absence of MFA on a Citrix remote access portal connected to systems processing 15 billion annual healthcare transactions. No exploit was used. No zero-day vulnerability was required. A stolen username and password — the kind routinely sold in credential marketplaces for a few hundred dollars — was sufficient to gain access to one of the most consequential nodes in U.S. healthcare infrastructure.
The Scale of the Disruption
Change Healthcare's response to discovering the attack on February 21 was to disconnect more than 111 different services across its systems to prevent further spread. That decision halted the attack from propagating to other UnitedHealth Group systems, but it also immediately severed the connections that tens of thousands of healthcare organizations depended on to function.
Pharmacies could not process insurance claims for prescriptions. Hospitals could not verify patient eligibility before providing care. Physicians could not bill for services rendered. Claims that would normally clear in days sat unprocessed for weeks. The revenue cycle of American medicine — a system built on the assumption that claims would move continuously through digital clearinghouses — ground to a halt in ways that had no precedent.
(final count, Jul 2025)
estimated losses (2024)
financial impact
direct patient care impact
A March 2024 American Hospital Association survey of nearly 1,000 hospitals documented the operational reality: 74% reported direct patient care impact including delays in authorizations for medically necessary care, 94% reported financial impact, and 33% reported that more than half of their revenue was disrupted. The American Medical Association's survey in April found that 80% of physician practices lost revenue from unpaid claims, 60% faced challenges verifying patient eligibility, and 55% of medical practice owners used personal funds to cover payroll during the outage.
UnitedHealth Group advanced over $9 billion to healthcare providers facing cash flow crises by the end of Q2 2024. Even that figure was not sufficient to cover the backlog, and providers continued experiencing financial strain long after Change Healthcare's systems came back online. The clearing service did not resume full operations until November 2024 — nine months after the attack.
The $22 Million That Changed Nothing
On March 1, 2024 — ten days after the encryption event — a cryptocurrency address associated with ALPHV/BlackCat received a single transaction worth approximately $22 million: 350 Bitcoin. Security researchers discovered the payment on March 1 by monitoring known ALPHV-controlled wallets. CEO Andrew Witty confirmed the payment before Congress on May 1, 2024, describing it as one of the hardest decisions he had ever made.
The payment was intended to accomplish two things: obtain a decryption key to restore encrypted systems, and prevent the release of the 6 TB of stolen patient data. It accomplished neither.
Two days after ALPHV received the payment, the affiliate who had actually conducted the attack — Notchy — posted on the Russian-language ransomware forum RAMP with a grievance: ALPHV had suspended his account and kept the entire $22 million without paying him his agreed commission. In a typical ALPHV arrangement, the affiliate would receive 60–90% of the ransom payment; the operator takes the remainder as a platform fee. Notchy had conducted the intrusion, exfiltrated the data, deployed the ransomware, and negotiated the payment. ALPHV took the $22 million and disappeared.
"ALPHV/BlackCat did not get seized. They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice." — Fabian Wosar, Emsisoft, March 2024
On March 5, ALPHV's data leak site displayed what appeared to be an FBI seizure notice — the same format used when the DOJ disrupted ALPHV infrastructure in December 2023. Security researchers immediately identified it as a fake. The source code of the notice was nearly identical to the December seizure page but had been modified to simulate a new law enforcement action. ALPHV was not seized. It had executed an exit scam — pocketing the $22 million, abandoning its affiliates, and shutting down operations.
Critically, Notchy retained a copy of all 6 TB of stolen data. ALPHV's promise to delete the data in exchange for payment was meaningless the moment the gang ceased operations. The data was now in the hands of an unpaid, furious affiliate who had every incentive to monetize it further.
The Second Extortion: RansomHub Takes the Data
In April 2024, a then-newly emerged ransomware group called RansomHub posted on its dark web leak site claiming to possess the Change Healthcare stolen data. The post claimed ALPHV had "stolen the $22 million ransom" and that RansomHub now held the data — over 4 TB of records covering millions of U.S. military and Navy personnel, medical and dental records, payment and claims information, Social Security numbers, insurance records, and more than 3,000 source code files for Change Healthcare solutions.
RansomHub demanded a second ransom payment, threatening to sell the data to the highest bidder if no deal was reached. On April 15, the group posted patient record samples it claimed to be from Change Healthcare — proving the data was real and in their possession.
The connection between the unpaid ALPHV affiliate and RansomHub was widely discussed in threat intelligence circles. The most coherent theory — supported by the operational timeline — is that Notchy, having been cheated out of his share, brought the stolen data to RansomHub, which was willing to conduct a second extortion using it. Whether RansomHub was a rebrand of ALPHV, a new group that absorbed former ALPHV affiliates, or simply an independent party that Notchy turned to, the result was the same: Change Healthcare was being extorted a second time for data it had already paid $22 million to suppress.
The Change Healthcare payment is one of the most documented illustrations of why ransom payments do not guarantee outcomes. The $22 million purchased nothing: no data deletion, no sustained decryption support, and no protection from further extortion. The money went to the operator, not the affiliate who held the data. The affiliate's copy remained intact and was subsequently used to demand a second ransom from the same victim. The $22 million represented less than 1% of the estimated total breach costs.
The RansomHub demand was ultimately removed from its site. No public confirmation of a second payment was ever made. The stolen data — presumably still in the possession of the original affiliate or RansomHub — has not been published in full as of the time of writing, but the absence of a public dump does not mean it has been secured or destroyed.
Who ALPHV/BlackCat Was
ALPHV/BlackCat emerged in November 2021 and quickly distinguished itself through technical sophistication. Unlike most ransomware groups that wrote payloads in C or C++, ALPHV used the Rust programming language — a choice that made the ransomware highly customizable across operating systems, significantly harder to reverse engineer, and capable of producing distinct builds for Windows, Linux, and ESXi environments.
ALPHV operated a classic RaaS model. The core operators maintained the ransomware codebase, the payment infrastructure, the negotiation portals, and the data leak site. Affiliates — independent contractors with their own intrusion capabilities — paid to use the platform and shared ransom proceeds with the operators at a rate that favored affiliates. Before the Change Healthcare exit scam, that arrangement had been largely honored.
The group had a notable prior history before Change Healthcare. It was linked to the MGM Resorts and Caesars Entertainment attacks in September 2023, conducted in collaboration with Scattered Spider. Caesars paid a $15 million ransom; MGM chose not to pay and absorbed an estimated $100 million in losses. ALPHV was also connected — through various degrees of attribution — to DarkSide, the group behind the 2021 Colonial Pipeline attack that disrupted fuel supply to the U.S. East Coast.
The DOJ led an international law enforcement operation against ALPHV in December 2023, seizing websites and developing a decryption tool that saved victims an estimated $68 million in ransom payments. ALPHV responded to that disruption by declaring it would retaliate by specifically targeting healthcare providers. Two months later, Change Healthcare was attacked.
The exit scam following the Change Healthcare ransom damaged something the criminal underground values highly: the operational credibility of a major RaaS platform. Affiliates choose platforms based on trust that the operator will pay their commission. ALPHV's decision to pocket $22 million and abandon its partners sent a damaging signal through the ransomware ecosystem — you could not trust the operator, even on an enormous payout. The fallout from that breach of trust reverberated through underground forums for months and accelerated the fragmentation of the RaaS ecosystem that was already underway in 2024.
The Data Breach: 192.7 Million Americans
Determining the actual scope of the data breach took over a year. Change Healthcare initially filed a breach notification with the HHS Office for Civil Rights listing 500 affected individuals — the regulatory minimum that triggers a mandatory public posting on the HHS portal. That figure was so obviously a placeholder that it drew immediate criticism from regulators and members of Congress, who characterized it as an attempt to minimize public awareness of the incident's scale.
By October 2024, the estimate had been revised to 100 million. By January 2025, it had nearly doubled again to approximately 190 million. The final figure, submitted to the New Hampshire Attorney General and reflected on the HHS breach portal as of July 2025, was 192.7 million individuals — representing approximately 57% of the U.S. population in 2024 and making it the largest healthcare data breach in American history by a substantial margin.
The stolen records were diverse in what they contained. They included names, addresses, Social Security numbers, dates of birth, and contact information. Health insurance member IDs and policy details. Medical records including diagnosis codes, procedure codes, treatment dates, and test results. Payment and claims information. For some individuals, the data included financial account details and records relating to military health coverage under Medicare and TRICARE.
The Financial Fallout
The $22 million ransom payment became the least significant cost in the incident's financial ledger. UnitedHealth Group posted $872 million in direct cyberattack-related losses in Q1 2024 alone. By the end of Q2, the company had revised its total estimated breach cost upward to between $2.3 billion and $2.45 billion. By Q3, the estimate stood at $2.457 billion — and additional exposure from litigation and regulatory penalties was still accruing.
UnitedHealth Group advanced over $9 billion in emergency loans to healthcare providers facing cash flow crises during the outage period. Those advances created their own controversy: by late 2024 and into 2025, UnitedHealth began aggressive recoupment efforts — clawing back the emergency advances from providers who had relied on them to meet payroll and operational costs during the weeks when the system was down. By January 2025, $4.5 billion had been recouped; by April 2025, media reports described the recoupment process as increasingly adversarial, with providers describing forced repayments that created new financial strain.
Legal and Regulatory Consequences
The breach triggered the largest regulatory and legal response to a healthcare cybersecurity incident in U.S. history. HHS Office for Civil Rights launched a formal HIPAA investigation in March 2024, focusing on risk analysis and the adequacy of security safeguards. Legal experts predicted HIPAA penalties exceeding $100 million — which would shatter the previous record of $16 million assessed against Anthem following a 2015 breach.
Congress grilled Andrew Witty in two separate committee hearings. Several senators introduced cybersecurity legislation for the healthcare sector in the breach's aftermath, and multiple states moved to fill the federal regulatory gap with their own requirements. New York mandated annual third-party cybersecurity audits for hospitals; California followed with similar requirements.
The Nebraska Attorney General filed the first state-level enforcement lawsuit in December 2024, accusing Change Healthcare of violating state consumer protection law through negligent security practices and the delayed breach notification. Additional state enforcement actions and dozens of class action lawsuits were consolidated into multidistrict litigation in Minnesota. Plaintiff classes represent patients (claiming identity theft risk and emotional distress damages), providers (claiming lost revenue and unfair recoupment terms), and insurers (claiming increased fraud exposure from leaked policy data). UnitedHealth's attempt to dismiss the lawsuits failed, and the litigation remains ongoing.
The breach notification delay itself became a separate liability thread. Change Healthcare's initial placeholder filing of 500 affected individuals — issued months after it was known that tens of millions of records had been stolen — was characterized by regulators and litigation plaintiffs as a deliberate minimization of the incident's scope. Official notifications to affected individuals did not begin until July 2024, five months after the initial attack.
What This Breach Actually Meant
The Change Healthcare incident is regularly called a landmark event in healthcare cybersecurity, and that characterization is accurate — but it is worth being precise about why it was landmark rather than merely large.
It was not the largest in terms of records stolen when it occurred (though it eventually became the largest reported healthcare breach in U.S. history). It was not the most technically sophisticated attack — the entry vector was a stolen password on a portal without MFA, a weakness exploited against targets across every sector every day. What made it different was the structural role of the target.
Change Healthcare was not an organization that primarily served patients. It was infrastructure. It was the digital plumbing through which the financial transactions of American medicine flowed. When it failed, the downstream damage was not measured in one organization's disrupted operations — it was measured in nationwide pharmacy outages, provider insolvencies, delayed authorizations for medically necessary care, and a cascade that touched every hospital in the country. The AHA's observation that it demonstrated the national consequences of attacking "mission-critical third-party providers" can be even more devastating than attacking hospitals directly was not hyperbole. It was a documented operational reality.
The ransom payment narrative added a second landmark dimension. The $22 million paid by UnitedHealth became the most high-profile example of a ransom payment that delivered zero value to the payer — not because of bad faith in the negotiation, but because the structure of the RaaS model meant the operator and the affiliate had conflicting interests, and the operator's greed ultimately meant the data was never within the operator's power to guarantee deleted. The affiliate who held it was the one who mattered, and the affiliate was never paid.
"Paying a ransom is a sticky legal issue since the U.S. prohibits payments to threat actors sanctioned through the Office of Foreign Assets Control. And it rarely accomplishes what organizations hope it will." — Barracuda Networks analysis, 2024
The third landmark dimension was the exit scam itself. ALPHV's decision to pocket $22 million and abandon its affiliates was, in some ways, a self-inflicted wound on the broader ransomware ecosystem. The model of organized criminal ransomware depends on a degree of reliability — affiliates need to believe they will be paid, victims need to believe that paying will actually deliver decryption and data deletion. ALPHV demonstrated that neither promise was worth anything when a large enough payday arrived. The trust damage to the RaaS model radiated through underground forums and contributed to the fragmentation of the ecosystem that accelerated throughout 2024 and 2025.
Key Takeaways
- A missing MFA checkbox on one Citrix portal took down U.S. healthcare billing for months. The absence of multi-factor authentication on a remote access portal connected to mission-critical infrastructure was the single technical failure that enabled everything that followed. No vulnerability was exploited. No zero-day was used. A stolen password was enough.
- The target's structural role determined the blast radius. Change Healthcare was not important because it was large — it was important because every claim, prescription, and insurance verification in the U.S. flowed through it. Attackers didn't need to breach every hospital; they breached the shared infrastructure they all depended on. Third-party vendor concentration creates single points of failure that attackers can identify and target.
- The $22 million ransom accomplished nothing. Payment did not secure data deletion, did not prevent re-extortion, and ultimately cost UnitedHealth less than 1% of the total financial impact of the breach. The affiliate — not the operator — held the data. The operator exit-scammed both the affiliate and the victim simultaneously.
- The affiliate kept the data and used it again. The structural flaw in the RaaS model revealed here is that ransom negotiations happen with the operator, but data is held by the affiliate. If the operator takes the money and runs, the affiliate retains the leverage. Paying one group does not eliminate exposure from others — especially when the first group's exit turns their own affiliates into adversaries.
- 192.7 million Americans had health data exposed — more than half the U.S. population. The breach count grew from a placeholder of 500, to 100 million, to 190 million, to a final figure of 192.7 million over eighteen months of forensic investigation. The deliberate minimization in early notifications became a separate regulatory and legal liability.
- The incident demonstrated that healthcare's cybersecurity posture is structurally inadequate for its threat exposure. Organizations processing billions of sensitive records annually were operating without MFA on externally accessible portals. The regulatory framework that was supposed to enforce minimum security standards had not kept pace with the concentration risk created by healthcare's increasing reliance on centralized third-party infrastructure providers.