Change Healthcare / UnitedHealth
The largest healthcare data breach in U.S. history—57% of the American population.
What happened?
On February 21, 2024, BlackCat/ALPHV ransomware affiliates encrypted Change Healthcare's systems after spending 9 days inside the network—using stolen credentials to access a Citrix portal that didn't have multi-factor authentication enabled.
What data was actually inside?
6 terabytes exfiltrated: Social Security numbers, driver's licenses, passport numbers, diagnoses, medications, test results, treatment plans, health insurance information, bank account numbers, and billing data.
Also included: source code for Change Healthcare applications and data from Medicare, Tricare (military), CVS Caremark, and Health Net.
Who gets hurt and how?
192.7 million Americans—57% of the U.S. population. Their medical histories are now on dark web leak sites despite UnitedHealth paying a $22 million ransom.
Patients face medical identity theft, insurance fraud, prescription fraud, and the exposure of mental health records, HIV status, and substance abuse treatment. Military personnel's health records were compromised through Tricare data.
What did they think they were doing right?
Change Healthcare processes 15 billion healthcare transactions annually—one in three U.S. patient records touches their systems. They were HIPAA compliant. They had security controls. They trusted their employee access management. The Citrix portal was "secured" with a username and password.
What did they not know about their own data?
They didn't know that 6 terabytes of sensitive data could be accessed from a single compromised credential. They didn't know their network segmentation was so poor that hackers could move freely between servers for 9 days. They couldn't tell you which systems held what data until the attackers showed them.
If a single credential in your environment was compromised today, could you say within 24 hours exactly what data was accessed?
What does attribution look like the morning after?
Chaos. Change Healthcare shut down for weeks. Hospitals couldn't process claims. Pharmacies couldn't verify insurance. Patients couldn't get prescriptions.
It took months to determine the full scope—initial estimates of 100 million grew to 190 million, then 192.7 million. The $22 million ransom didn't even work—the affiliate kept a copy and tried to extort them again through RansomHub.
Total cost to UnitedHealth Group: approximately $3.1 billion in direct breach response costs through 2024.
What would have changed the outcome?
Knowing what you have before someone else finds it first.
If Change Healthcare had mapped their sensitive data across systems, they would have known that a single Citrix credential could unlock 6TB of the most sensitive health data in America. They would have known which systems needed MFA. They would have known their network segmentation was a liability.
Change Healthcare found out the hard way.
Your team could spend the next 6 months rebuilding systems, notifying customers, and answering legal questions. Or you could spend 24 hours finding out what's actually at risk.