Ransomwarecritical

Change Healthcare: Ransomware Cripples US Medical Billing for Months

The ALPHV/BlackCat ransomware attack on Change Healthcare — which processes 1-in-3 US patient records — disrupted prescription processing, insurance claims, and hospital payments nationwide for over a month.

Change Healthcare / UnitedHealth·2024·2 min read

Attack Chain

  1. 1
    Ransomware deployed via Citrix
  2. 2
    No MFA on Citrix VPN
  3. 3
    Network encrypted
  4. 4
    Patient data exfiltrated
  5. 5
    $22M ransom rumoured paid

Background

Change Healthcare, a subsidiary of UnitedHealth Group, is the largest healthcare payment processing company in the United States, handling over 15 billion transactions annually covering approximately 37% of US patient records. It connects pharmacies, hospitals, and insurance companies.

The Attack

ALPHV/BlackCat attackers gained access to Change Healthcare's systems using compromised Citrix credentials — the remote access system did not have multi-factor authentication enabled. The attackers spent nine days in the network conducting reconnaissance before deploying ransomware on February 21, 2024. The encryption of Change Healthcare's systems instantly disrupted prescription processing at pharmacies, insurance prior authorisation submissions, and hospital payment processing nationwide.

Response

UnitedHealth Group paid a $22 million ransom demand. ALPHV then reportedly stole the $22 million and disappeared, leaving their affiliate — who had conducted the actual attack — without payment. The affiliate then partnered with RansomHub and began threatening to publish the stolen data anyway. The US government deployed emergency measures including advance payments to affected healthcare providers.

Outcome

The attack affected 100 million Americans — the largest healthcare data breach in US history. The disruption cost UnitedHealth over $872 million in the first quarter alone, with total costs estimated to exceed $1.6 billion. The case highlighted the catastrophic risk of critical healthcare infrastructure consolidation.

Key Takeaways

  1. Multi-factor authentication on remote access (VPN/Citrix) is non-negotiable — no exceptions
  2. Critical healthcare infrastructure consolidation creates systemic single-point-of-failure risk
  3. Paying ransomware guarantees nothing — ALPHV took the payment and abandoned their affiliate
  4. Healthcare systems need isolation: pharmacy processing, billing, and clinical systems should be network-separated
ALPHVBlackCathealthcareCitrixcritical infrastructure

More in Ransomware

2017critical

WannaCry Global Ransomware Attack

2 min readRansomware
2019critical

Norsk Hydro: Ransomware Shuts Down Aluminium Plants Across 3 Continents

2 min readRansomware
2016high

Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back

2 min readRansomware