Change Healthcare Ransomware Breach Grew to 190 Million Victims
UnitedHealth Group said the ransomware attack on Change Healthcare affected about 190 million people, making it the largest known breach of U.S. health and medical data. The February 2024 intrusion, attributed to the Russian-speaking ALPHV/BlackCat operation, triggered nationwide outages that disrupted pharmacy services, insurance claims, prior authorizations, billing, and prescription access, including impacts on military pharmacies. Exposed data reportedly included medical records, diagnoses, medications, test results, treatment plans, insurance details, and financial information.
Reporting and subsequent testimony tied the breach to basic security failures, including use of a stolen credential on an account without multi-factor authentication and weak network segmentation. The fallout widened when RansomHub claimed it had obtained the same stolen dataset—about 4TB of data—after ALPHV allegedly kept a $22 million ransom payment in an apparent exit scam. Hospitals and providers said the prolonged outage strained cash flow and patient care, while UnitedHealth faced HIPAA notifications, lawsuits, congressional scrutiny, and criticism from the American Hospital Association over what it called an inadequate response and funding program.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
UnitedHealth raises Change Healthcare breach total to 190 million people
In January 2025, UnitedHealth confirmed that approximately 190 million people in America were affected by the Change Healthcare cyberattack. The revised figure made it the largest breach of health and medical data in U.S. history.
UnitedHealth discloses at least 100 million people were affected
Later in 2024, UnitedHealth said the Change Healthcare breach affected at least 100 million people. This established the incident as one of the largest healthcare data breaches ever disclosed in the United States.
RansomHub claims extortion attempt using data from Change breach
In April 2024, the ransomware group RansomHub claimed it possessed 4TB of Change Healthcare data, including personal, medical, insurance, payment, and source code files, and threatened to sell or publish it. Reporting indicated the data may have been the same dataset stolen in the February ALPHV attack, after an alleged ALPHV exit scam affected affiliates.
Researchers observe possible $22 million ransom payment tied to ALPHV wallets
By early April 2024, researchers reported a $22 million Bitcoin transaction linked to ALPHV wallets as possible evidence that Change Healthcare had paid a ransom. The payment was not officially confirmed by the company at that time.
AHA criticizes UnitedHealth response and says no restoration timeline was provided
On March 4, 2024, the American Hospital Association sent a letter to UnitedHealth Group saying the cyberattack had severely disrupted healthcare operations and finances nationwide. The AHA argued the company's assistance program was inadequate and said no restoration timeline had been announced nearly two weeks after the attack.
UnitedHealth launches temporary funding assistance amid prolonged disruption
In the aftermath of the attack, UnitedHealth Group introduced a Temporary Funding Assistance Program for affected providers. The program was intended to address financial strain caused by the outage, but its scope and terms drew criticism from healthcare organizations.
ALPHV/BlackCat hacks Change Healthcare and triggers nationwide outages
In February 2024, Change Healthcare suffered a ransomware attack attributed to the Russian-speaking ALPHV/BlackCat gang. The incident disrupted prescription services, billing, insurance claims, prior authorizations, and other healthcare operations across the United States.
Sources
3 references tracked. Mallory keeps watching after this page renders.
UnitedHealth hikes number of Change cyberattack breach victims to 190M | Cybersecurity Dive
cybersecuritydive.com
Open sourceHow the ransomware attack at Change Healthcare went down: A timeline | TechCrunch
techcrunch.com
Open sourceChange Healthcare hit with second ransomware attack of 2024 | IT Pro
itpro.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Change Healthcare ransomware attack exposed massive patient data and disrupted U.S. care
A ransomware attack on UnitedHealth subsidiary **Change Healthcare** crippled prescription processing, billing, and claims services across the U.S., leaving pharmacies, hospitals, doctors, and therapists unable to process insurance transactions and creating severe cash-flow problems for providers. UnitedHealth disclosed the intrusion after isolating affected systems, and the **ALPHV/BlackCat** gang later claimed responsibility, saying it stole terabytes of data from the company’s environment. The outage highlighted Change Healthcare’s central role in the health sector, where it processes a huge share of medical and pharmacy transactions. UnitedHealth later acknowledged paying a ransom reportedly worth about **$22 million** in bitcoin, but the extortion did not end there: a second group, **RansomHub**, claimed it had obtained the stolen files and began leaking patient data online. Subsequent reporting said the breach likely included highly sensitive personal and health information, potentially affecting U.S. service members and eventually tens of millions of Americans, with later estimates rising to **100 million** and then **193 million** victims. Investigators and executives also said the attackers entered through a **Citrix portal without MFA**, turning the incident into one of the largest and most consequential healthcare data breaches on record.
Jun 8, 2026
Impact and Response to the Change Healthcare Ransomware Attack
A ransomware attack on Change Healthcare, a major processor of health insurance claims, exposed the personal health information of over 190 million people and caused widespread disruption across the U.S. healthcare system. Hospitals and clinics were unable to process claims or receive payments, leading to severe cash-flow crises that threatened their operations. In response, the Centers for Medicare and Medicaid Services implemented the Change Healthcare/Optum Payment Disruption Accelerated and Advance Payment program, providing $3.3 billion in emergency relief, though only 11% of hospitals received funds, with rural and unaffiliated hospitals being less likely to benefit. Research from the University of Minnesota analyzed the effectiveness of this relief program and highlighted areas for improvement in future emergency funding responses. The American Hospital Association reported that the Change Healthcare incident was the largest single healthcare data breach in recent years, accounting for the majority of the 259 million records compromised in 2024. The breach underscored the vulnerability of healthcare data, particularly when stored unencrypted and managed by business associates rather than hospitals themselves. The incident has prompted calls for improved asset inventories, better tracking of business associates, and stronger data protection measures to mitigate the risk of similar large-scale breaches in the future.
Mar 21, 2026
Healthcare Sector Data Breach Disclosures Expand Victim Counts Across Multiple Incidents
Multiple healthcare-related breach disclosures expanded significantly, led by *TriZetto Provider Solutions* reporting to regulators that **3,433,965** people were affected after an attacker used a web portal to access historical eligibility reports containing sensitive data (including **SSNs** and insurance information). Separately, *Conduent Business Services* told Wisconsin regulators that its incident now impacts **“25 million-plus”** people nationwide; the Xerox spinoff had previously reported **~15.5 million** affected in Texas, prompting an investigation by Texas AG Ken Paxton, while reporting noted the event is still smaller than the largest U.S. health-data breach on record. Reporting on the *Change Healthcare* ransomware incident reiterated that UnitedHealth estimated roughly **190 million** people were affected, with congressional testimony attributing initial access to a **Citrix remote access portal lacking MFA**, followed by data theft and ransomware deployment; reporting also cited a **$22 million** ransom payment. In the Asia-Pacific region, a separate healthcare privacy incident involving New Zealand’s *ManageMyHealth* patient portal was cited as exposing data from **~120,000** people, and was used to underscore governance, access control, and third-party oversight gaps as recurring drivers of healthcare-sector exposure.
Mar 21, 2026