Change Healthcare Breach Drives Lawsuit and Renews Healthcare Supply-Chain Risk Fears
Iowa Attorney General Brenna Bird sued Change Healthcare, UnitedHealth Group, and Optum over the 2024 ransomware attack on Change Healthcare, alleging the companies misrepresented their cybersecurity practices, understated the breach’s severity in a February 2024 SEC filing, and operated insecure legacy systems without adequate segmentation or redundancy. The complaint says the attack exposed the electronic protected health information of 192.7 million Americans, including 2.2 million Iowans, making it the largest healthcare data breach in U.S. history, and seeks civil penalties, disgorgement, damages, and injunctive relief.
The incident is also being cited across the healthcare sector as a defining example of systemic third-party risk, after outages disrupted billing, pharmacy, clinical, imaging, and laboratory operations at thousands of organizations for months. Industry leaders, including Intermountain Health CISO Erik Decker, said the attack showed how vendor concentration can create ecosystem chokepoints, while broader reporting on vendor breaches has reinforced concerns that compromises at major service providers can cascade across healthcare delivery and data security nationwide.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Iowa attorney general sues Change Healthcare, UnitedHealth and Optum
Iowa Attorney General Brenna Bird sued Change Healthcare, UnitedHealth Group, and Optum over the 2024 ransomware attack, alleging misrepresented cybersecurity practices, insecure systems, and delayed breach notification. The suit says the attack exposed the electronic protected health information of 192.7 million Americans, including 2.2 million Iowans.
Change Healthcare ransomware attack disrupts U.S. healthcare sector
A ransomware attack hit Change Healthcare in February 2024, causing widespread clinical, billing, and other service disruptions across thousands of healthcare organizations. Multiple sources describe it as a major supply-chain and systemic risk event for the U.S. healthcare sector.
Change Healthcare files SEC disclosure on attack severity
On February 21, 2024, Change Healthcare disclosed the incident in an SEC filing. Iowa later alleged in its lawsuit that this filing understated the severity of the breach.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ISMG Editors: Vendor Breaches Expose Healthcare Risk
govinfosecurity.com
Open sourceISMG Editors: Vendor Breaches Expose Healthcare Risk
bankinfosecurity.com
Open sourceIowa AG Sues Change Healthcare Over 2024 Ransomware Attack
hipaajournal.com
Open source'Systemic Risk' Stalks Healthcare Sector - BankInfoSecurity
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Change Healthcare Ransomware Breach Grew to 190 Million Victims
UnitedHealth Group said the ransomware attack on Change Healthcare affected about **190 million people**, making it the largest known breach of U.S. health and medical data. The February 2024 intrusion, attributed to the Russian-speaking **ALPHV/BlackCat** operation, triggered nationwide outages that disrupted pharmacy services, insurance claims, prior authorizations, billing, and prescription access, including impacts on military pharmacies. Exposed data reportedly included medical records, diagnoses, medications, test results, treatment plans, insurance details, and financial information. Reporting and subsequent testimony tied the breach to basic security failures, including use of a stolen credential on an account without **multi-factor authentication** and weak network segmentation. The fallout widened when **RansomHub** claimed it had obtained the same stolen dataset—about **4TB** of data—after ALPHV allegedly kept a **$22 million** ransom payment in an apparent exit scam. Hospitals and providers said the prolonged outage strained cash flow and patient care, while UnitedHealth faced HIPAA notifications, lawsuits, congressional scrutiny, and criticism from the American Hospital Association over what it called an inadequate response and funding program.
May 25, 2026
Change Healthcare ransomware attack exposed massive patient data and disrupted U.S. care
A ransomware attack on UnitedHealth subsidiary **Change Healthcare** crippled prescription processing, billing, and claims services across the U.S., leaving pharmacies, hospitals, doctors, and therapists unable to process insurance transactions and creating severe cash-flow problems for providers. UnitedHealth disclosed the intrusion after isolating affected systems, and the **ALPHV/BlackCat** gang later claimed responsibility, saying it stole terabytes of data from the company’s environment. The outage highlighted Change Healthcare’s central role in the health sector, where it processes a huge share of medical and pharmacy transactions. UnitedHealth later acknowledged paying a ransom reportedly worth about **$22 million** in bitcoin, but the extortion did not end there: a second group, **RansomHub**, claimed it had obtained the stolen files and began leaking patient data online. Subsequent reporting said the breach likely included highly sensitive personal and health information, potentially affecting U.S. service members and eventually tens of millions of Americans, with later estimates rising to **100 million** and then **193 million** victims. Investigators and executives also said the attackers entered through a **Citrix portal without MFA**, turning the incident into one of the largest and most consequential healthcare data breaches on record.
Jun 8, 2026
HHS Increases Oversight of Healthcare Third-Party Vendor Cybersecurity After Change Healthcare Breach
The US Department of Health and Human Services (**HHS**) is increasing scrutiny of **third-party service provider** cybersecurity in the healthcare sector following the 2024 **Change Healthcare** cyberattack, which HHS officials describe as having threatened the “liquidity” of the broader healthcare system. HHS’s Charlee Hess (Administration for Strategy Preparedness and Response) said the incident exposed previously underappreciated systemic risk from external vendors that can have outsized sector-wide impact, and noted HHS is working through a methodology—alongside industry—to identify where those critical third-party dependencies and risk concentrations exist. Reporting reiterated that the Change Healthcare intrusion began with attackers exploiting the lack of **multi-factor authentication (MFA)** on a remote access portal and ultimately exposed data affecting roughly **190 million** people. The breach has also driven broader government and industry responses, including proposals for mandatory cybersecurity requirements on hospitals (which healthcare organizations have opposed as burdensome, arguing the Change Healthcare compromise originated with an external vendor) and remediation actions by **UnitedHealth Group** (Change Healthcare’s parent) to “start over” on aspects of its systems and technology environment.
Mar 21, 2026