In February 2024, a ransomware group called ALPHV/BlackCat broke into Change Healthcare, a subsidiary of UnitedHealth Group that processes roughly 40% of all U.S. medical claims. They got in through one remote-access portal that didn’t have multi-factor authentication enabled.
What followed was the largest healthcare data breach in American history, a months-long billing outage that nearly bankrupted thousands of small medical practices, a $22 million ransom payment that didn’t end the crisis, and a cascade of consequences still being felt today.
The Change Healthcare attack is not a cautionary tale about a large corporation’s security failures. It’s a masterclass in how a single point of failure inside the healthcare supply chain can bring the entire ecosystem to its knees — including practices that had nothing to do with Change Healthcare, never chose them as a vendor, and had no idea how exposed they were.
Who Is Change Healthcare and Why Did It Matter So Much
Most patients have never heard of Change Healthcare. Most physicians know the name but few understand the scope.
Change Healthcare was, at the time of the attack, the largest health payment processor in the United States. Formed through a 2022 merger between Change Healthcare and Optum, itself a subsidiary of UnitedHealth Group, the company processed an estimated 15 billion healthcare transactions annually. That’s approximately one in three U.S. patient records touching their systems at some point.
The services Change Healthcare provided weren’t glamorous, but they were foundational. Medical claims processing. Prior authorization routing. Electronic prescribing. Pharmacy benefit management. Revenue cycle management tools used by hospitals, physician groups, and independent practices alike. Dental billing. Workers’ compensation processing.
Practices didn’t necessarily contract directly with Change Healthcare. Many of them used billing software or clearinghouses that routed claims through Change Healthcare’s infrastructure without the practice ever knowing it. When the attack hit, those practices discovered the dependency the hard way: their billing stopped working and they had no idea why.
How the Attackers Got In
The technical entry point was straightforward, which is part of what makes it so instructive.
ALPHV/BlackCat, a ransomware-as-a-service operation with affiliates operating worldwide, gained access to Change Healthcare’s network through a Citrix remote desktop application. Citrix is widely used in enterprise environments to allow employees to access internal systems from outside the corporate network. Change Healthcare used it for exactly this purpose.
The portal they targeted did not require multi-factor authentication. An attacker with valid credentials — a username and password — could log straight in. Those credentials were either phished from an employee, purchased on a dark web marketplace from a prior breach, or obtained through credential stuffing against recycled passwords. The specific acquisition method has not been confirmed publicly.
ALPHV/BlackCat logged in on February 12, 2024. They didn’t immediately detonate ransomware. They spent nine days inside the network, moving laterally, mapping systems, identifying high-value targets, and exfiltrating data before triggering the destructive phase of the attack on February 21.
Nine days of undetected presence inside the largest health payment processor in the country. The 89-day average detection time in healthcare, cited repeatedly in industry research, isn’t an abstract statistic. This is what it looks like in practice.
The Attack and Its Immediate Aftermath
On February 21, 2024, Change Healthcare’s systems began going down. UnitedHealth Group took most of Change Healthcare’s infrastructure offline in response, a containment decision that was correct from a security standpoint and catastrophic from an operational one.
The billing pipeline that 40% of U.S. healthcare claims ran through simply stopped.
Pharmacies couldn’t process prescriptions. Hospitals couldn’t submit claims. Physician groups couldn’t get prior authorizations approved. Revenue cycle software used by thousands of practices went dark. Electronic prescribing systems failed. For many practices, the first sign of the breach was that their billing software stopped working on a Tuesday morning with no explanation.
The American Medical Association surveyed its members in the weeks following the attack. The results were stark. Ninety-four percent of physician practices reported financial impact from the disruption. Seventy-eight percent had lost revenue from unpaid claims. Fifty-eight percent had depleted cash reserves. Forty-three percent said they were unable to submit claims at all during the outage. Thirty-three percent reported that more than half of their revenue had been disrupted.
The practices hit hardest were the smallest ones. Practices without capital reserves or lines of credit had no cushion. The AMA reported physicians taking out personal home equity loans, running up personal credit cards, and drawing down retirement savings to cover payroll and keep their doors open while waiting for the billing system to come back online. The AMA explicitly stated that some small practices would close as a direct result of the attack.
The $22 Million Ransom That Didn’t Solve Anything
What happened next introduced a layer of chaos that is almost unprecedented in the history of ransomware.
UnitedHealth Group paid ALPHV/BlackCat a ransom of approximately $22 million in Bitcoin in early March 2024, confirmed through blockchain transaction analysis. The payment was made, presumably, to obtain a decryption key to restore systems and to prevent the public release of exfiltrated data.
ALPHV/BlackCat then pulled what the cybersecurity industry calls an exit scam.
The ransomware group’s leadership took the $22 million and shut down the operation, locking out their own affiliates — the criminal operators who had actually conducted the attack — without paying them their cut. The affiliate who executed the Change Healthcare attack, operating under the name “Notchy,” went public about being stiffed on forums frequented by ransomware operators. To retaliate and monetize the stolen data independently, Notchy transferred the data to a different ransomware group, RansomHub, which then began independently extorting UnitedHealth Group with threats to release the same data.
UnitedHealth Group paid twice and still had a ransomware group threatening to publish 4 terabytes of stolen patient data.
This sequence of events demolished a premise that some organizations had quietly relied on: that paying a ransom would end the incident. In this case, it didn’t. It funded an exit scam, left affiliates unpaid, generated a second extortion attempt from a different group, and did nothing to accelerate the restoration of billing services for the practices waiting on the other end.
The Scale of What Was Stolen
In October 2024, UnitedHealth Group disclosed the full scope of the data breach. The final count: 192.7 million individuals affected. That’s approximately 58% of the U.S. population having their healthcare data compromised in a single incident.
The data categories exposed were comprehensive. Health insurance membership IDs. Diagnoses and medical conditions. Treatment information. Billing codes. Social Security numbers. Dates of birth. Contact information. In some cases, full medical histories.
This is the category of data that sells for $260 to $310 per record on the dark web and that enables insurance fraud, prescription drug fraud, and medical identity theft on a scale that individual victims may not discover for months or years. A stolen credit card number can be cancelled within hours of discovery. A stolen medical record containing your diagnoses, your insurance ID, and your Social Security number cannot be cancelled. It follows you.
For the practices whose patients were exposed, the HIPAA implications began immediately. Even though the breach originated at Change Healthcare, covered entities who had relationships with Change Healthcare as a business associate faced their own compliance obligations, notification requirements, and potential liability exposure.
How the Response Made Things Worse
UnitedHealth Group’s response to the attack has been widely criticized, not for the containment decision, which security experts largely considered appropriate, but for the pace and transparency of the recovery.
It took weeks for basic billing functionality to begin returning. Full restoration stretched over months. The company established temporary funding programs for affected providers, but accessing those funds required attestations and approvals that added friction at a moment when practices needed immediate relief. The programs were widely criticized as insufficient, and many small practices reported difficulty qualifying or receiving funds in time to matter.
The HHS Office for Civil Rights opened an investigation into Change Healthcare and UnitedHealth Group’s HIPAA compliance. The Senate Finance Committee held hearings at which UnitedHealth Group CEO Andrew Witty testified. Congressional scrutiny of healthcare sector cybersecurity practices increased substantially in the attack’s wake.
The attack also triggered a cascade of regulatory responses. HHS published voluntary cybersecurity performance goals specifically for healthcare in the months following the breach. The HIPAA Security Rule Notice of Proposed Rulemaking issued in December 2024 was directly accelerated by the Change Healthcare attack, with HHS citing it explicitly in the rulemaking documentation. The proposed mandatory MFA requirement is a direct legislative response to a portal that didn’t have it.
What the Attack Revealed About Healthcare’s Systemic Vulnerability
The Change Healthcare attack is valuable to study not just for what it tells us about one company’s security posture, but for what it reveals about structural vulnerabilities that affect the entire healthcare ecosystem.
Concentration risk. When a single vendor processes 40% of U.S. healthcare claims, its failure is a system failure, not a company failure. Most of the practices affected had no visibility into their dependency on Change Healthcare. They had chosen billing software or clearinghouses without knowing where those services routed their claims. Concentration risk at this scale is invisible to the organizations most exposed to it.
Downstream dependency. The attack’s impact on small practices was not a direct attack on those practices. It was transmitted through a supply chain they didn’t know they were part of. This is the defining characteristic of modern supply chain attacks: the organizations that suffer most are not the ones attacked. They’re the ones downstream.
The MFA gap. Multi-factor authentication on a single remote-access portal would almost certainly have prevented this breach. The credential that provided access was valid. Without MFA, it was sufficient. With MFA, it would not have been. Every security framework, every compliance standard, every incident post-mortem in the last decade has identified MFA as a foundational control. It still wasn’t in place on a portal used to access the infrastructure of the largest health payment processor in the country.
Detection time. Nine days of undetected lateral movement. The attackers mapped the environment, identified the highest-value systems, exfiltrated data, and positioned themselves for maximum impact before triggering the attack. Detection tools that rely on signature-based recognition of known malware wouldn’t have caught this. Behavioral detection — tools that flag anomalous user activity, unusual lateral movement, and atypical data access patterns — would have. Most small practices don’t have behavioral detection. Many large organizations, clearly, didn’t either.
Ransom payment risk. The ALPHV/BlackCat exit scam underscored a reality that security professionals have stated for years: paying a ransom does not guarantee recovery, does not guarantee data deletion, and may fund a second extortion attempt by a different group. The FBI, CISA, and HHS consistently advise against ransom payment. The Change Healthcare case illustrated exactly why.
What Small Practices Need to Take From This
The Change Healthcare attack happened to a company most small practices had never heard of, in a way those practices had no direct control over. That’s precisely what makes it relevant.
You may be dependent on vendors or clearinghouses that route through infrastructure you’ve never audited. You may be storing patient data in billing systems or practice management software connected to services with unknown third-party relationships. You may have business associate agreements in place that create HIPAA liability when your associates are breached.
The supply chain is the threat surface most practices aren’t thinking about. It’s also the one attackers have learned to exploit most effectively.
There are practical steps that reduce this exposure.
Know your vendors. Map every third-party service that touches patient data: billing software, clearinghouses, EHR systems, lab portals, imaging systems, referral platforms. Know who those vendors use as subcontractors and subprocessors. Require business associate agreements and review them.
Ask about MFA. Every vendor that provides remote access to systems containing patient data should require multi-factor authentication. Ask your vendors directly whether MFA is enforced on all remote-access systems. If the answer is no, that’s a risk conversation you need to have.
Maintain cash reserves or credit lines. The practices that survived the Change Healthcare outage with minimal long-term damage had one thing the ones that nearly closed didn’t: a financial buffer that gave them time to wait for systems to come back online. This isn’t purely a security recommendation. It’s a business continuity recommendation.
Have an incident response plan. Most small practices have no documented plan for what to do if a critical vendor goes down. That plan should include: alternative claim submission pathways, patient communication protocols, financial contingencies, and a decision tree for who makes what calls in the first 48 hours.
Don’t treat compliance as security. Being HIPAA compliant and being secure are not the same thing. The HIPAA Security Rule as it existed when Change Healthcare was breached did not require MFA. Compliance with the existing rule would not have prevented this attack. Security requires controls that go beyond current minimum compliance standards.
What WheelHouse IT Does About Supply Chain Risk
When we onboard a healthcare client, we don’t just look at the devices in the office and the network at the front desk. We look at the full technology stack: every vendor relationship that involves patient data, every remote-access connection into the environment, every business associate with a data pathway into the practice.
We require MFA across all remote-access systems and enforce it at the infrastructure level, not just as a policy. We deploy behavioral endpoint detection through CrowdStrike EDR and Huntress, the tools that catch the kind of anomalous lateral movement that went undetected for nine days inside Change Healthcare. We monitor continuously through an internal SOC, not a third-party outsourced service.
For healthcare clients specifically, our HIPAA-certified staff bring compliance review into the same workflow as technical management. When a vendor relationship creates a business associate obligation, we help ensure the documentation and the technical controls match each other.
We also help practices build practical incident response plans. Not theoretical documents. Playbooks with specific steps, specific contacts, and specific decision trees for the scenarios most likely to affect a practice our clients’ size.
The Change Healthcare attack was unusual in its scale. The vulnerabilities it exploited were entirely ordinary. The practices best positioned to survive the next one are the ones that have already closed those vulnerabilities — not the ones waiting to respond after the fact.
If you want to understand what your current exposure looks like, we offer a no-commitment network risk assessment. It starts with the questions most practices haven’t thought to ask.
The Takeaway
Change Healthcare is a case study in how the healthcare sector’s interconnected infrastructure creates systemic vulnerabilities that no individual organization can fully control. But it’s also a case study in how basic, well-understood controls — multi-factor authentication, behavioral detection, rapid access revocation, and tested incident response — could have dramatically changed the outcome.
The 192.7 million patients whose data was exposed didn’t have a relationship with Change Healthcare. Neither, in many cases, did the practices whose billing was disrupted. Supply chain exposure is invisible until it isn’t. The only antidote is understanding your dependencies before an attack reveals them for you.
WheelHouse IT is a managed IT services provider serving healthcare, legal, financial services, and professional services organizations across South Florida, New York, and Los Angeles. Learn more at wheelhouseit.com.
