Change Healthcare ransomware attack exposed massive patient data and disrupted U.S. care
A ransomware attack on UnitedHealth subsidiary Change Healthcare crippled prescription processing, billing, and claims services across the U.S., leaving pharmacies, hospitals, doctors, and therapists unable to process insurance transactions and creating severe cash-flow problems for providers. UnitedHealth disclosed the intrusion after isolating affected systems, and the ALPHV/BlackCat gang later claimed responsibility, saying it stole terabytes of data from the company’s environment. The outage highlighted Change Healthcare’s central role in the health sector, where it processes a huge share of medical and pharmacy transactions.
UnitedHealth later acknowledged paying a ransom reportedly worth about $22 million in bitcoin, but the extortion did not end there: a second group, RansomHub, claimed it had obtained the stolen files and began leaking patient data online. Subsequent reporting said the breach likely included highly sensitive personal and health information, potentially affecting U.S. service members and eventually tens of millions of Americans, with later estimates rising to 100 million and then 193 million victims. Investigators and executives also said the attackers entered through a Citrix portal without MFA, turning the incident into one of the largest and most consequential healthcare data breaches on record.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Iowa attorney general sues Change Healthcare over breach
On April 6, 2026, the Iowa attorney general filed a lawsuit against Change Healthcare over the 2024 data breach. The suit represented a new legal action stemming from the incident.
Victim count rises to 193 million in Change Healthcare breach
By August 7, 2025, reporting said the Change Healthcare data breach victim count had risen to 193 million. The updated figure significantly expanded the known scope of the incident.
UnitedHealth says Change breach affected 100 million Americans
On October 25, 2024, reporting said the Change Healthcare breach affected 100 million Americans, setting a new record for a healthcare data breach. This marked a major escalation in the disclosed scale of victim impact.
Congress hears stolen data likely included service members
At a May 1, 2024 congressional hearing, UnitedHealth CEO Andrew Witty said data stolen in the Change Healthcare attack likely included information on U.S. service members. Lawmakers described the breach as a national security threat during the hearing.
UnitedHealth says breach began through Citrix portal without MFA
UnitedHealth disclosed that attackers accessed Change Healthcare through a Citrix remote access portal that did not have multifactor authentication enabled. The revelation provided a key technical detail about the initial compromise path.
UnitedHealth confirms it paid a ransom after the attack
UnitedHealth Group later confirmed it paid a ransom following the February 2024 cyberattack on Change Healthcare. Reporting tied the payment to roughly $22 million in bitcoin and said the company was monitoring for any public leak of stolen data.
RansomHub leaks stolen Change Healthcare data
By mid-April 2024, stolen Change Healthcare data was reported leaked by the RansomHub gang after a second extortion threat emerged. Reporting said RansomHub claimed control of more than 4TB of data after ALPHV allegedly failed to share ransom proceeds with affiliates.
ALPHV claims responsibility for the Change Healthcare attack
On February 28, 2024, the ALPHV/BlackCat ransomware group publicly claimed responsibility for the attack on Change Healthcare. The group said it had stolen more than 6 terabytes of data and disputed UnitedHealth's earlier characterization of the incident.
Cyberattack disrupts pharmacy claims and prescription processing
The Change Healthcare incident caused company-wide connectivity problems and outages that delayed prescription processing and insurance billing at pharmacies across the United States. UnitedHealth said the disruption was specific to Change Healthcare while other UnitedHealth systems remained operational.
UnitedHealth identifies cyber intrusion at Change Healthcare
On February 21, 2024, UnitedHealth Group disclosed that it identified a suspected nation-state-associated threat actor with access to some Change Healthcare IT systems. The company said it immediately isolated affected systems, engaged security experts, coordinated with law enforcement, and notified customers and government agencies.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
Iowa AG files lawsuit against Change Healthcare over 2024 data breach
beckershospitalreview.com
Open sourceChange Healthcare data breach victim count rises to 193 million | TechTarget
techtarget.com
Open sourceChange Healthcare breach affected 100 million Americans, marking a new record | CyberScoop
cyberscoop.com
Open sourceThe Change Healthcare Ransomware Attack: A Landmark Cybersecurity Breach | BlackFog
blackfog.com
Open sourceNotorious ransomware group claims responsibility for attacks roiling US pharmacies | CyberScoop
cyberscoop.com
Open sourceCyberattack on health insurance IT giant continues to disrupt business for doctors, therapists | CNN Business
cnn.com
Open sourceCybersecurity breach at UnitedHealth subsidiary causes Rx delays for some pharmacies - CBS News
cbsnews.com
Open sourceunh-20240221
sec.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Change Healthcare Ransomware Breach Grew to 190 Million Victims
UnitedHealth Group said the ransomware attack on Change Healthcare affected about **190 million people**, making it the largest known breach of U.S. health and medical data. The February 2024 intrusion, attributed to the Russian-speaking **ALPHV/BlackCat** operation, triggered nationwide outages that disrupted pharmacy services, insurance claims, prior authorizations, billing, and prescription access, including impacts on military pharmacies. Exposed data reportedly included medical records, diagnoses, medications, test results, treatment plans, insurance details, and financial information. Reporting and subsequent testimony tied the breach to basic security failures, including use of a stolen credential on an account without **multi-factor authentication** and weak network segmentation. The fallout widened when **RansomHub** claimed it had obtained the same stolen dataset—about **4TB** of data—after ALPHV allegedly kept a **$22 million** ransom payment in an apparent exit scam. Hospitals and providers said the prolonged outage strained cash flow and patient care, while UnitedHealth faced HIPAA notifications, lawsuits, congressional scrutiny, and criticism from the American Hospital Association over what it called an inadequate response and funding program.
May 25, 2026
Impact and Response to the Change Healthcare Ransomware Attack
A ransomware attack on Change Healthcare, a major processor of health insurance claims, exposed the personal health information of over 190 million people and caused widespread disruption across the U.S. healthcare system. Hospitals and clinics were unable to process claims or receive payments, leading to severe cash-flow crises that threatened their operations. In response, the Centers for Medicare and Medicaid Services implemented the Change Healthcare/Optum Payment Disruption Accelerated and Advance Payment program, providing $3.3 billion in emergency relief, though only 11% of hospitals received funds, with rural and unaffiliated hospitals being less likely to benefit. Research from the University of Minnesota analyzed the effectiveness of this relief program and highlighted areas for improvement in future emergency funding responses. The American Hospital Association reported that the Change Healthcare incident was the largest single healthcare data breach in recent years, accounting for the majority of the 259 million records compromised in 2024. The breach underscored the vulnerability of healthcare data, particularly when stored unencrypted and managed by business associates rather than hospitals themselves. The incident has prompted calls for improved asset inventories, better tracking of business associates, and stronger data protection measures to mitigate the risk of similar large-scale breaches in the future.
Mar 21, 2026
Healthcare Sector Data Breach Disclosures Expand Victim Counts Across Multiple Incidents
Multiple healthcare-related breach disclosures expanded significantly, led by *TriZetto Provider Solutions* reporting to regulators that **3,433,965** people were affected after an attacker used a web portal to access historical eligibility reports containing sensitive data (including **SSNs** and insurance information). Separately, *Conduent Business Services* told Wisconsin regulators that its incident now impacts **“25 million-plus”** people nationwide; the Xerox spinoff had previously reported **~15.5 million** affected in Texas, prompting an investigation by Texas AG Ken Paxton, while reporting noted the event is still smaller than the largest U.S. health-data breach on record. Reporting on the *Change Healthcare* ransomware incident reiterated that UnitedHealth estimated roughly **190 million** people were affected, with congressional testimony attributing initial access to a **Citrix remote access portal lacking MFA**, followed by data theft and ransomware deployment; reporting also cited a **$22 million** ransom payment. In the Asia-Pacific region, a separate healthcare privacy incident involving New Zealand’s *ManageMyHealth* patient portal was cited as exposing data from **~120,000** people, and was used to underscore governance, access control, and third-party oversight gaps as recurring drivers of healthcare-sector exposure.
Mar 21, 2026