Impact and Response to the Change Healthcare Ransomware Attack
A ransomware attack on Change Healthcare, a major processor of health insurance claims, exposed the personal health information of over 190 million people and caused widespread disruption across the U.S. healthcare system. Hospitals and clinics were unable to process claims or receive payments, leading to severe cash-flow crises that threatened their operations. In response, the Centers for Medicare and Medicaid Services implemented the Change Healthcare/Optum Payment Disruption Accelerated and Advance Payment program, providing $3.3 billion in emergency relief, though only 11% of hospitals received funds, with rural and unaffiliated hospitals being less likely to benefit. Research from the University of Minnesota analyzed the effectiveness of this relief program and highlighted areas for improvement in future emergency funding responses.
The American Hospital Association reported that the Change Healthcare incident was the largest single healthcare data breach in recent years, accounting for the majority of the 259 million records compromised in 2024. The breach underscored the vulnerability of healthcare data, particularly when stored unencrypted and managed by business associates rather than hospitals themselves. The incident has prompted calls for improved asset inventories, better tracking of business associates, and stronger data protection measures to mitigate the risk of similar large-scale breaches in the future.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Health Affairs study finds CHOPD relief often missed hardest-hit hospitals
A University of Minnesota School of Public Health research brief published in Health Affairs found that only 11% of hospitals received CHOPD funds despite $3.3 billion being distributed, and that rural and unaffiliated hospitals were disproportionately excluded. Using FOIA-obtained data, the researchers concluded that more than 300 hospitals with significant losses received no relief, while many recipients received payments exceeding their actual Medicare revenue losses.
AHA says 33 million records were breached in 364 hacks by Oct. 3
As of October 3, 2025, the AHA reported that 33 million Americans' health records had been compromised in 364 hacking incidents. It said this was a significant decrease from the prior year's total, which had been heavily influenced by the Change Healthcare incident.
AHA reports 259 million breached records in prior year
The American Hospital Association said the previous year set a record with 259 million breached health records, driven largely by the Change Healthcare ransomware attack. The figure was cited as a benchmark for comparing 2025 healthcare breach trends.
CMS launches CHOPD emergency relief program
Following the Change Healthcare attack in 2024, CMS established the Change Healthcare/Optum Payment Disruption Accelerated and Advance Payment (CHOPD) program to provide emergency financial relief to affected hospitals. Nearly 4,400 U.S. hospitals applied for support under the program.
Change Healthcare ransomware attack disrupts claims and payments
In 2024, a ransomware attack on Change Healthcare/Optum disrupted claims submission and payment processing across the U.S. healthcare sector, creating cash-flow crises for providers. The incident also exposed personal health information of more than 190 million people.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Change Healthcare ransomware attack exposed massive patient data and disrupted U.S. care
A ransomware attack on UnitedHealth subsidiary **Change Healthcare** crippled prescription processing, billing, and claims services across the U.S., leaving pharmacies, hospitals, doctors, and therapists unable to process insurance transactions and creating severe cash-flow problems for providers. UnitedHealth disclosed the intrusion after isolating affected systems, and the **ALPHV/BlackCat** gang later claimed responsibility, saying it stole terabytes of data from the company’s environment. The outage highlighted Change Healthcare’s central role in the health sector, where it processes a huge share of medical and pharmacy transactions. UnitedHealth later acknowledged paying a ransom reportedly worth about **$22 million** in bitcoin, but the extortion did not end there: a second group, **RansomHub**, claimed it had obtained the stolen files and began leaking patient data online. Subsequent reporting said the breach likely included highly sensitive personal and health information, potentially affecting U.S. service members and eventually tens of millions of Americans, with later estimates rising to **100 million** and then **193 million** victims. Investigators and executives also said the attackers entered through a **Citrix portal without MFA**, turning the incident into one of the largest and most consequential healthcare data breaches on record.
Jun 8, 2026
Change Healthcare Ransomware Breach Grew to 190 Million Victims
UnitedHealth Group said the ransomware attack on Change Healthcare affected about **190 million people**, making it the largest known breach of U.S. health and medical data. The February 2024 intrusion, attributed to the Russian-speaking **ALPHV/BlackCat** operation, triggered nationwide outages that disrupted pharmacy services, insurance claims, prior authorizations, billing, and prescription access, including impacts on military pharmacies. Exposed data reportedly included medical records, diagnoses, medications, test results, treatment plans, insurance details, and financial information. Reporting and subsequent testimony tied the breach to basic security failures, including use of a stolen credential on an account without **multi-factor authentication** and weak network segmentation. The fallout widened when **RansomHub** claimed it had obtained the same stolen dataset—about **4TB** of data—after ALPHV allegedly kept a **$22 million** ransom payment in an apparent exit scam. Hospitals and providers said the prolonged outage strained cash flow and patient care, while UnitedHealth faced HIPAA notifications, lawsuits, congressional scrutiny, and criticism from the American Hospital Association over what it called an inadequate response and funding program.
May 25, 2026
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
Mar 21, 2026