Change Healthcare Ransomware Attack: A Detailed Timeline

Change Healthcare Data Breach: A Timeline of Events

A significant ransomware incident targeting Change Healthcare, a health technology company owned by UnitedHealth, occurred in February 2024.

This attack has now been identified as the most extensive breach of health and medical data ever recorded in the United States.

Scale of the Data Compromise

Change Healthcare disclosed in January 2025 that the data breach impacts roughly 190 million individuals across America.

This figure represents nearly twice the initial estimations provided by the company regarding the scope of the incident.

Notification Process

Millions of affected individuals have been directly informed via mail regarding the compromise of their personal and health information by malicious actors.

Additionally, a public notice was released to reach anyone whose contact details were unavailable for direct notification.

Change Healthcare’s Role in the U.S. Healthcare System

Change Healthcare is a critical component of the U.S. healthcare infrastructure, managing billing and insurance processes for a vast network of providers.

This includes hundreds of thousands of hospitals, pharmacies, and medical practices nationwide.

Consequently, the company maintains extensive repositories of highly confidential patient medical data.

Growth and Data Handling Capacity

Through a series of mergers and acquisitions, Change Healthcare has evolved into one of the largest processors of health data in the U.S.

It is estimated that the company handles as much as 50% of all healthcare transactions within the country.

Ongoing Developments

The following details outline the key events that have transpired since the initial ransomware attack.

Further updates will be provided as the situation evolves.

February 21, 2024

Initial Outage Reports Coincide with Security Breach

What began as a typical Wednesday afternoon quickly deviated from the norm. A sudden disruption occurred, with billing systems at numerous doctors' offices and healthcare facilities ceasing operation. Simultaneously, the processing of insurance claims was halted.

Change Healthcare’s website status page became overwhelmed with notifications detailing outages impacting all facets of its operations. Later that day, the company acknowledged a “network interruption” stemming from a cyber security issue.

Investigations revealed that Change Healthcare initiated its security measures, effectively shutting down its entire network to contain detected intruders. This action resulted in immediate and extensive outages throughout the healthcare industry.

A significant portion of the United States relies on a limited number of companies, including Change Healthcare, for managing healthcare insurance and billing claims. The initial breach is believed to have occurred approximately a week prior, around February 12.

Impact of the Network Shutdown

The shutdown of Change Healthcare’s network had far-reaching consequences. Healthcare providers were unable to verify insurance eligibility or submit claims, leading to significant disruptions in patient care and revenue cycles.

Pharmacies also experienced difficulties processing prescriptions, as they rely on Change Healthcare for real-time benefit checks. This created challenges for patients needing essential medications.

The incident highlighted the critical dependence of the U.S. healthcare system on a few key infrastructure providers. A compromise of one of these providers can have cascading effects across the entire sector.

Ongoing Investigation and Response

Federal authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), are actively investigating the incident. The focus is on determining the scope of the breach, identifying the attackers, and restoring services.

Change Healthcare is working to restore its systems and implement enhanced security measures to prevent future attacks. However, the timeline for full recovery remains uncertain.

This event serves as a stark reminder of the growing threat of cyberattacks targeting critical infrastructure. It underscores the need for robust cybersecurity practices and proactive threat detection.

February 29, 2024

UnitedHealth Acknowledges Ransomware Attack

Initially, UnitedHealth misidentified the source of the cyberattack, suggesting involvement from state-sponsored actors. However, on February 29th, the company confirmed the intrusion was perpetrated by a ransomware gang. A spokesperson communicated to TechCrunch that the group identified itself as ALPHV/BlackCat.

Confirmation came alongside a claim of responsibility from a dark web leak site linked to the ALPHV/BlackCat gang. This site asserted the theft of sensitive health and patient data belonging to millions of Americans, providing the first insight into the scale of the incident.

Understanding the ALPHV/BlackCat Group

ALPHV, also known as BlackCat, operates as a ransomware-as-a-service (RaaS) organization with ties to Russian-speaking cybercriminals. Affiliates, functioning as independent contractors, infiltrate target networks.

These affiliates then deploy malware created by the core ALPHV/BlackCat leadership. The gang subsequently receives a percentage of the ransom payments extracted from victims seeking decryption of their compromised files.

Shift in Attack Assessment

Identifying a ransomware gang as the perpetrator significantly altered the understanding of the attack. The initial assumption of nation-state hacking, often driven by geopolitical motives, gave way to a scenario involving financially motivated cybercriminals.

This distinction is crucial, as financially driven actors typically follow a different operational strategy compared to government-backed hackers when pursuing financial gain. Their primary objective is monetary profit, influencing their tactics and negotiation approaches.

March 3-5, 2024

UnitedHealth Ransom Payment and Subsequent Disappearance of Hackers

Early in March, the ALPHV ransomware group abruptly ceased operations. Their dark web leak site, previously used to claim responsibility for a significant cyberattack, was replaced by a notice indicating a seizure by law enforcement agencies in both the United Kingdom and the United States.

However, both the FBI and U.K. authorities refuted claims of dismantling the ransomware operation, stating that previous attempts to do so had occurred months prior. Evidence strongly suggested that ALPHV absconded with the collected ransom funds, executing what is known as an “exit scam.”

An affiliate of ALPHV, responsible for the intrusion into Change Healthcare, publicly alleged that the group’s leadership misappropriated $22 million received as a ransom payment.

As evidence, a link to a specific bitcoin transaction dated March 3 was provided. Despite not receiving their agreed-upon portion of the ransom, the affiliate confirmed that the compromised data remains in their possession.

UnitedHealth ultimately paid a ransom to the attackers, who subsequently vanished, leaving the stolen data accessible.

March 13, 2024

Extensive Disruption to U.S. Healthcare Systems Following Data Breach Concerns

Several weeks following the initial cyberattack, significant operational issues persisted. Many individuals experienced difficulties obtaining necessary prescriptions, and were often required to make immediate cash payments.

TriCare, the health insurance program for military personnel, reported that all of its pharmacies globally were impacted by the incident.

The American Medical Association expressed concern over the limited information being provided by UnitedHealth and Change Healthcare regarding the continuing disruptions. These outages were causing widespread and escalating problems throughout the healthcare industry.

As of March 13th, Change Healthcare had obtained a secure version of the compromised data. A ransom of $22 million had been paid to acquire this copy.

This acquisition enabled Change Healthcare to initiate a thorough review of the dataset. The goal was to identify the specific individuals whose data was exposed during the cyberattack and to begin the notification process.

March 28, 2024

Increased Reward Offered for Information on ALPHV/BlackCat Leaders

The U.S. government announced a substantial increase in the reward offered for details concerning the core leadership of the ALPHV/BlackCat ransomware group and its associated actors by the end of March.

A $10 million bounty is now available to anyone providing information that leads to the identification or location of those responsible for the group’s operations. This action suggests an attempt to incentivize insiders to cooperate with authorities.

The escalated reward also reflects the U.S. government’s growing concern regarding the potential exposure of sensitive health information belonging to a large number of American citizens.

This development underscores the seriousness with which the threat posed by ALPHV/BlackCat is being taken at the federal level.

Details of the Bounty Program

The reward is intended to encourage individuals with knowledge of the ransomware group’s activities to come forward. It aims to disrupt the organization’s ability to carry out future attacks.

Specifically, the U.S. seeks information regarding the identities and whereabouts of key figures within ALPHV/BlackCat. This includes those involved in the development, deployment, and management of the ransomware.

The increased financial incentive is a clear signal of the government’s commitment to combating cybercrime and protecting critical infrastructure.

• Target: Key leaders and affiliates of ALPHV/BlackCat.
• Reward: Up to $10 million.
• Goal: Identification and location of individuals involved in ransomware activities.

The U.S. government believes that this initiative will prove instrumental in dismantling the ALPHV/BlackCat operation and mitigating the risks it poses.

April 15, 2024

New Ransom Group Emerges, Releases Stolen Healthcare Data

The landscape of ransomware operations has shifted, now featuring two distinct groups. Following a dispute, a former affiliate established a new extortion operation named RansomHub. This new entity retained data previously compromised from Change Healthcare and subsequently issued a further ransom demand to UnitedHealth.

To substantiate their threat, RansomHub released a segment of the pilfered files. These contained what appeared to be confidential and personally identifiable patient information.

Modern ransomware attacks involve not only file encryption but also extensive data theft. This stolen data is then leveraged as a threat to publish it publicly unless a ransom is fulfilled – a tactic known as “double extortion.”

In certain instances, even after an initial ransom is paid, the attackers may attempt further extortion. This can involve demanding additional payments or targeting the victim’s clientele, escalating the situation to “triple extortion.”

Given UnitedHealth’s willingness to negotiate a ransom, the possibility of repeated extortion attempts loomed. This situation underscores law enforcement’s consistent recommendation against paying ransoms, as doing so incentivizes and funds further criminal cyber activity.

April 22, 2024

UnitedHealth Reports Ransomware Attack Resulted in Extensive Health Data Theft

On April 22nd, UnitedHealth publicly acknowledged a significant data breach stemming from the recent ransomware attack. This confirmation arrived over two months following the initial incident. The company stated the breach likely impacts a “substantial proportion of the American population,” though the precise number of individuals affected remains undisclosed.

UnitedHealth also revealed that a ransom was paid in an attempt to recover the compromised data. However, the total amount of ransom payments made was not specified.

The compromised data is described as highly sensitive in nature. It encompasses a wide range of personal health information, including medical records, diagnoses, and medication details.

Specifically, stolen data includes test results, imaging scans, and comprehensive care plans. Other personal identifying information was also reportedly accessed by the attackers.

Change Healthcare, a subsidiary of UnitedHealth, processes data for approximately half of the U.S. population. Consequently, the data breach is estimated to potentially affect over 100 million individuals.

A UnitedHealth spokesperson, contacted by TechCrunch, did not refute this estimated figure. They indicated that a thorough review of the impacted data is still in progress.

May 1, 2024

UnitedHealth Group CEO Confirms Change Healthcare Lacked Fundamental Cybersecurity Measures

It is not unexpected that the head of a company experiencing a major data security incident would be required to appear before legislators.

Andrew Witty, CEO of UnitedHealth Group (UHG), testified on Capitol Hill, acknowledging that the intrusion into Change Healthcare’s network occurred through a compromised user account. This account utilized a static password and lacked the protection of multi-factor authentication (MFA).

MFA is a foundational security protocol, designed to thwart password reuse attacks by demanding a secondary verification code delivered to the user’s mobile device.

The core takeaway from Witty’s testimony was that this significant data breach was, in essence, avoidable.

He indicated the impact of the breach is projected to affect approximately one-third of the U.S. population. This aligns with prior company assessments regarding the number of individuals whose healthcare claims are processed by Change Healthcare.

The scale of the breach positions it as one of the most substantial data compromises in the history of the United States.

June 20, 2024

UHG Initiates Data Breach Notifications to Impacted Healthcare Entities

Change Healthcare commenced the process of formally informing hospitals and medical providers regarding the compromised data on June 20th. This notification process fulfills legal obligations under the Health Insurance Portability and Accountability Act (HIPAA). The delay in notification was likely attributable to the extensive volume of data involved in the breach.

A public notice detailing the data breach was released by the company. It outlined the commencement of notifications to individuals identified within a secured copy of the stolen data. However, Change Healthcare acknowledged an inability to definitively ascertain the specific data compromised for each individual, indicating potential variations in the affected information.

The company stated it is publishing the notice on its website due to potential deficiencies in available contact addresses for all affected parties.

Given the scale and intricacy of the incident, the U.S. Department of Health and Human Services intervened. They authorized affected healthcare providers to request UnitedHealth Group to handle patient notifications on their behalf.

This measure aims to alleviate the financial strain on smaller providers who have been negatively impacted by the continuing service disruption.

July 29, 2024

Notifications Commence for Individuals Impacted by Change Healthcare Data Breach

Change Healthcare, a leading health technology company, affirmed in late June its plan to systematically notify individuals whose healthcare data was compromised during the recent ransomware incident. This notification process initiated in late July.

Individuals affected by the breach will likely receive correspondence directly from Change Healthcare, or potentially from the specific healthcare provider impacted by the attack. These letters detail the types of data that were accessed, encompassing medical records, health insurance details, and claims/payment information.

The compromised claims and payment data includes sensitive financial and banking details, as previously stated by Change Healthcare.

A UnitedHealth representative informed TechCrunch that the comprehensive data review is nearing completion, currently in its “final stages.”

Key data categories affected include:

• Medical data
• Health insurance information
• Claims and payment information
• Financial and banking information

The ongoing investigation aims to fully ascertain the scope of the data breach and ensure appropriate measures are taken to protect affected individuals.

Further Steps for Affected Individuals

Individuals receiving notifications are advised to carefully review the provided information.

It is recommended to monitor financial accounts for any unauthorized activity and consider placing a fraud alert with credit bureaus.

Change Healthcare and UnitedHealth are expected to provide resources and support to assist individuals in mitigating potential risks associated with the data breach.

October 24, 2024

UnitedHealth Reports Data Breach Impacting Over 100 Million

The health insurance leader, UnitedHealth, has disclosed that at least 100 million people are impacted by a significant data security incident. This announcement comes over eight months after the breach was initially detected. Notifications regarding the breach continue to be sent to individuals, with some received as recently as October.

The U.S. Department of Health and Human Services updated its data breach portal on October 24, reflecting the increased scope of the incident.

Currently, the breach at Change Healthcare represents the most extensive theft of U.S. medical records in a digital format. It also ranks among the largest data breaches recorded to date.

Impacted individuals should remain vigilant and monitor their accounts for any signs of fraudulent activity.

Details of the Breach

The incident centers around a cyberattack targeting Change Healthcare, a subsidiary of UnitedHealth Group. This attack disrupted claims processing and payment systems across the United States.

Investigations are ongoing to determine the full extent of the compromised data. However, it is believed to include personally identifiable information (PII), as well as medical and financial data.

Change Healthcare is working to restore systems and enhance security measures to prevent future incidents.

What Individuals Should Do

• Monitor Accounts: Regularly review bank statements and credit reports for unauthorized transactions.
• Report Suspicious Activity: Immediately report any suspected fraud to financial institutions and relevant authorities.
• Be Aware of Phishing: Exercise caution with unsolicited emails or phone calls requesting personal information.

Further updates and guidance will be provided by UnitedHealth and relevant government agencies as the investigation progresses.

December 16, 2024

Further Information Regarding the Change Healthcare Cyberattack Surfaces in Nebraska Legal Action

A lawsuit brought forth by the state of Nebraska against Change Healthcare in December alleges security deficiencies that precipitated a substantial data breach impacting at least 100 million individuals across the United States. The state’s filing revealed new specifics concerning the cyberattack.

Specifically, the ALPHV hacking group gained initial access utilizing compromised credentials – the username and password – belonging to a customer support representative with limited privileges. Crucially, this account lacked the protection of multi-factor authentication.

The complaint further asserts that Change Healthcare’s IT infrastructure suffered from inadequate network segmentation. This allowed the attackers to move laterally throughout the system after breaching the initial firewall.

UnitedHealth Group, the parent company of Change Healthcare, communicated to TechCrunch that the process of notifying impacted individuals remains in its concluding phases. This mirrors a statement provided in July.

This suggests the ultimate number of Americans affected by the data compromise will likely exceed the currently reported figure of 100 million.

Key Allegations from the Nebraska Lawsuit:

• Initial access was gained through stolen credentials.
• The compromised account lacked multi-factor authentication.
• Poor IT system segmentation facilitated lateral movement by the attackers.
• The full extent of the data breach is still being determined.

Change Healthcare is facing scrutiny over its security practices following this significant incident. The lawsuit highlights the importance of robust cybersecurity measures, including multi-factor authentication and network segmentation.

January 24, 2025

Change Healthcare Data Breach Impacts 190 Million Americans

UnitedHealth Group has disclosed that approximately 190 million individuals across the United States were impacted by a significant data security incident. This revelation, made nearly a year following the initial cyberattack, represents over half of the nation’s population.

The healthcare insurance leader indicated its intention to formally report this revised figure to the U.S. Department of Health and Human Services, fulfilling legal obligations. Notification will occur in the near future.

The scope of the breach extends beyond those directly insured by UnitedHealthcare. This is due to the substantial volume of medical data and financial transactions that Change Healthcare processes daily throughout the U.S. healthcare infrastructure.

A vast number of individuals are affected, even without direct coverage through UnitedHealthcare, because of the company’s central role in handling healthcare information nationwide.

Details of the Incident

Change Healthcare, a subsidiary of UnitedHealth Group, experienced a cyberattack that compromised sensitive patient data. The incident disrupted various healthcare operations across the country.

The compromised information potentially includes names, dates of birth, addresses, and medical claim details. Financial information may also have been exposed in some cases.

Investigations are ongoing to fully understand the extent of the data accessed and to implement enhanced security measures. The company is working to mitigate the risks to affected individuals.

• Approximately 190 million Americans are affected.
• The breach impacts individuals beyond UnitedHealthcare insurance holders.
• Change Healthcare processes billions of transactions daily.

UnitedHealth Group is committed to providing resources and support to those impacted by this data breach. Further updates will be provided as the investigation progresses.