Anatomy of a Breach

Anatomy of a Breach: Change Healthcare — Ransomware Halts US Healthcare Payment Processing for Weeks

> series: anatomy_of_a_breach —— part: 183 —— target: change_healthcare —— transactions: 15_billion_annually —— ransom: $22,000,000 —— people: 100,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2024 15 min read
ransomware change-healthcare unitedhealth alphv blackcat healthcare-payments 100-million series
Breach #183

One-third of US patient records. Payment processing halted. $22 million ransom paid. 100 million people affected.

On 21 February 2024, ALPHV/BlackCat ransomware struck Change Healthcare — a subsidiary of UnitedHealth Group that acts as a critical intermediary in the US healthcare system, processing approximately 15 billion transactions annually including insurance claims, pharmacy payments, and prior authorisations. The attack forced Change Healthcare to disconnect its systems, halting payment processing across the US healthcare ecosystem for weeks.

The consequences cascaded immediately: pharmacies could not process insurance claims for prescriptions, healthcare providers could not submit claims or receive payments, patients faced delays in accessing medications, and smaller healthcare practices — dependent on timely claim payments for cash flow — faced financial crisis. UnitedHealth paid a $22 million ransom in Bitcoin. The breach ultimately affected approximately 100 million individuals — making it the largest healthcare data breach in US history, surpassing Anthem's 78.8 million (2015). The initial access was through a Citrix remote access portal without MFA.

Healthcare Payment Infrastructure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When one company processes one-third of a nation's health transactions.

Systemic Healthcare Risk
Change Healthcare's role as a critical intermediary meant that a single ransomware attack disrupted healthcare payments for the entire United States. The concentration of healthcare transaction processing in one company created systemic risk — the same pattern seen when <a href="/blog/anatomy-of-a-breach-nhs-advanced-lastpass">NHS Advanced's</a> ransomware disrupted NHS 111. For UK <a href="/blog/sector-under-the-microscope-healthcare">healthcare organisations</a>, the lesson is about vendor concentration risk in critical operational systems.
No MFA on Citrix Remote Access
The initial compromise was through a Citrix remote access portal without MFA — the same pattern from <a href="/blog/anatomy-of-a-breach-colonial-pipeline">Colonial Pipeline</a> (VPN, no MFA, 2021), <a href="/blog/anatomy-of-a-breach-dusseldorf-hospital">Düsseldorf Hospital</a> (Citrix, 2020), and <a href="/blog/anatomy-of-a-breach-icbc-lockbit">ICBC</a> (Citrix Bleed, 2023). <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA on all remote access — the single control that would have prevented the largest healthcare breach in history.
$22 Million Ransom Paid
UnitedHealth paid $22 million — one of the largest confirmed ransomware payments. The payment was made to ALPHV/BlackCat, which subsequently performed an 'exit scam' — taking the money and shutting down operations, leaving the affiliate who conducted the attack unpaid. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides ransom decision guidance.
Prescriptions Delayed
Pharmacies could not process insurance claims — meaning patients faced delays or had to pay full price for essential medications. Ransomware against healthcare infrastructure directly threatens patient access to care. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> provides the monitoring that detects ransomware before it disrupts patient services.
Lessons

MFA on remote access. The control that keeps preventing the largest breaches in history.

The Change Healthcare breach — the largest healthcare breach in US history, affecting 100 million people — was preventable with MFA on a single Citrix portal. Cyber Essentials Danzell mandates MFA on all remote access. Our vulnerability scanning identifies remote access portals without MFA. Infrastructure testing validates remote access security. SOC in a Box monitors for anomalous remote access. And UK Cyber Defence provides the incident response capability when healthcare systems are targeted.

Healthcare Remote Access

100 million records. $22M ransom. No MFA on Citrix. Is your remote access protected?

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA on remote access. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unprotected portals. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors access.

Commission a Security Assessment Next: AT&T 73M
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2023

Anatomy of a Breach: Western Digital — My Cloud Offline for Two Weeks and 10TB of Internal Data Stolen

Breach #172. In April 2023, Western Digital — one of the world's largest data storage companies — disclosed that attackers had breached its network and stolen approximately 10 terabytes of internal data. The breach forced Western Digital to take its My Cloud consumer cloud storage service offline for approximately two weeks, locking millions of users out of their personal data. The attackers — a group calling themselves ALPHV/BlackCat — published screenshots of internal emails, videoconference screenshots, and evidence of access to Western Digital's SAP backend and internal tools. A company whose entire business is storing and protecting data could not protect its own.

data-breach western-digital
12 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
All Posts Get in Touch