Back to Exposure Report
192.7 million records February 21, 2024 BlackCat/ALPHV

Change Healthcare / UnitedHealth

The largest healthcare data breach in U.S. history—57% of the American population.

Social Security numbersDriver's license numbersPassport numbersDiagnosesMedicationsTest resultsTreatment plansHealth insurance informationBank account numbersBilling data
1

What happened?

On February 21, 2024, BlackCat/ALPHV ransomware affiliates encrypted Change Healthcare's systems after spending 9 days inside the network—using stolen credentials to access a Citrix portal that didn't have multi-factor authentication enabled.

2

What data was actually inside?

6 terabytes exfiltrated: Social Security numbers, driver's licenses, passport numbers, diagnoses, medications, test results, treatment plans, health insurance information, bank account numbers, and billing data.

Also included: source code for Change Healthcare applications and data from Medicare, Tricare (military), CVS Caremark, and Health Net.

3

Who gets hurt and how?

192.7 million Americans—57% of the U.S. population. Their medical histories are now on dark web leak sites despite UnitedHealth paying a $22 million ransom.

Patients face medical identity theft, insurance fraud, prescription fraud, and the exposure of mental health records, HIV status, and substance abuse treatment. Military personnel's health records were compromised through Tricare data.

4

What did they think they were doing right?

Change Healthcare processes 15 billion healthcare transactions annually—one in three U.S. patient records touches their systems. They were HIPAA compliant. They had security controls. They trusted their employee access management. The Citrix portal was "secured" with a username and password.

5

What did they not know about their own data?

They didn't know that 6 terabytes of sensitive data could be accessed from a single compromised credential. They didn't know their network segmentation was so poor that hackers could move freely between servers for 9 days. They couldn't tell you which systems held what data until the attackers showed them.

6

What does attribution look like the morning after?

Chaos. Change Healthcare shut down for weeks. Hospitals couldn't process claims. Pharmacies couldn't verify insurance. Patients couldn't get prescriptions.

It took months to determine the full scope—initial estimates of 100 million grew to 190 million, then 192.7 million. The $22 million ransom didn't even work—the affiliate kept a copy and tried to extort them again through RansomHub.

Total cost to UnitedHealth Group: approximately $3.1 billion in direct breach response costs through 2024.

7

What would have changed the outcome?

Knowing what you have before someone else finds it first.

If Change Healthcare had mapped their sensitive data across systems, they would have known that a single Citrix credential could unlock 6TB of the most sensitive health data in America. They would have known which systems needed MFA. They would have known their network segmentation was a liability.

Sources

Don't Learn What You Have From an Attacker

Change Healthcare couldn't tell you what was in their systems until BlackCat showed them. Risk Finder shows you first.

Start Your Risk Assessment