In February 2024, a ransomware assault on Change Healthcare, a health technology firm owned by UnitedHealth, marked the most extensive breach of health and medical data in the history of the United States.
Change Healthcare reported in January 2025 that the breach impacted around 190 million individuals across America, nearly doubling its prior estimates.
The firm stated that it has sent out notifications via mail to millions, informing them that their personal and health information was compromised by hackers. Additionally, it released a public notice for those whose contact information was unavailable.
Change Healthcare manages billing and insurance services for a multitude of hospitals, pharmacies, and medical practices within the U.S. healthcare landscape. As a result, it gathers and retains a substantial quantity of sensitive medical information of patients across the country. Following a series of mergers and acquisitions, it became a leading processor of health data in the United States, accounting for nearly half of all health transactions nationwide.
Here’s a timeline of the events that unfolded following the ransomware incident.
February 21, 2024
Initial outage reports emerge amid security incident
What appeared to be an ordinary Wednesday afternoon quickly turned unsettling. On February 21, the billing systems in healthcare offices suddenly malfunctioned, halting insurance claims processing. The status page on Change Healthcare’s website inundated visitors with outage alerts across its entire business spectrum. By later that day, the company announced a “network interruption related to a cyber security issue,” confirming that a serious problem had arisen.
Change Healthcare activated its security measures, taking down its entire network to secure its systems, leading to widespread outages for the numerous healthcare entities dependent on its services for insurance and billing operations throughout the U.S. Investigations later revealed that the hackers had initially infiltrated the company’s network around February 12.
February 29, 2024
UnitedHealth acknowledges attack by ransomware group
Initially misidentifying the attackers as state-sponsored hackers, UnitedHealth revised its statement on February 29, admitting that the cyberattack was orchestrated by a ransomware gang. The spokesperson noted that the gang “identified themselves as ALPHV/BlackCat.” Furthermore, a dark web leak site associated with ALPHV/BlackCat claimed responsibility for the attack, asserting they had compromised millions of Americans’ sensitive health and patient information, thus giving insights into the scope of the breach.
Known as a Russian-speaking ransomware-as-a-service group, ALPHV (also called BlackCat) involves affiliates—contractors who access victim networks using malware created by the group’s leaders. These leaders then share a portion of the ransom amounts with the affiliates.
Understanding that the breach was a ransomware incident fundamentally shifted the context from state-sponsored hacking, often aimed at geopolitical ends, to financial cybercrime driven by profit motives, indicating a different strategy from the attackers.
March 3-5, 2024
UnitedHealth pays $22 million ransom, hackers then vanish
By early March, the ALPHV ransomware gang disappeared. Their dark web leak site, which had taken credit for the attack weeks prior, was replaced by a message claiming that U.S. and U.K. authorities had apprehended their site. However, both the FBI and U.K. law enforcement ruled out their involvement in taking down the group, indicating that it was likely ALPHV escaped with the ransom, executing an “exit scam.”
An ALPHV affiliate involved in the Change Healthcare breach claimed that the group’s leadership retained the $22 million ransom paid and even linked to a specific bitcoin transaction as proof on March 3. Despite no longer receiving ransom shares, the affiliate remarked that the data was “still in our possession.” UnitedHealth had unwittingly paid the hackers and still had its data unreturned.
March 13, 2024
Widespread healthcare disruption as fears of data leak grow
Several weeks into the cyberattack, many individuals still faced issues with filling prescriptions or were forced to pay cash due to system outages. TriCare, the military health insurance provider, reported that “all military pharmacies globally” were impacted as well.
The American Medical Association voiced concerns, stating there was minimal information provided by UnitedHealth and Change Healthcare regarding the ongoing outages, which prompted significant turmoil throughout the healthcare system.
By March 13, Change Healthcare had acquired a “safe” version of the compromised data, previously paid for with the $22 million ransom, which allowed it to started to analyze the dataset to identify impacted individuals, aiming to notify as many as possible.
March 28, 2024
U.S. government increases bounty to $10 million for information on ALPHV
As March drew to a close, the U.S. government announced it would raise its bounty to $10 million for actionable intelligence regarding the core leadership of ALPHV/BlackCat and its affiliates.
This bounty was seen as a strategic move to encourage insiders to reveal information about the gang’s leaders, highlighting the government’s growing concern over the potential publication of sensitive health information belonging to millions of Americans.
April 15, 2024
A contractor launches a new ransomware operation, releasing some of the stolen health data
By mid-April, the disgruntled affiliate formed a new extortion group named RansomHub, leveraging the data stolen from Change Healthcare to request a secondary ransom from UnitedHealth. They made the threat more credible by releasing snippets of the compromised records, which appeared to involve private patient information.
Beyond merely encrypting files, ransomware gangs capture extensive data and may threaten to publicize it should the ransom not be paid, a strategy known as “double extortion.” In some cases, if the victim complies, the attackers may further extort them or go after their customers—termed “triple extortion.”
Having already paid a ransom, UnitedHealth now faced the substantial risk of being extorted again, which is precisely what law enforcement cautions against—paying ransoms that foster profits from cyber attacks.
April 22, 2024
UnitedHealth confirms ransomware hackers stole health data affecting a “substantial” number of Americans
For the first occasion, on April 22—more than two months after the crisis began—UnitedHealth acknowledged the data breach, emphasizing that it likely impacts a “substantial portion of people in America,” without specifying exact figures. The company did confirm the payment of ransom without disclosing how many payments were made in total.
The compromised data entails highly confidential information such as medical records, health details, diagnoses, medications, test results, imaging, treatment plans, and other personal data.
Considering that Change Healthcare handles data for nearly half of the population in the United States, the breach likely affects over 100 million people. When TechCrunch reached out, UnitedHealth representatives noted they could not dispute the potential number but emphasized that the assessment process was ongoing.
May 1, 2024
Chief executive of UnitedHealth Group testifies that Change lacked essential cybersecurity
In light of one of the most significant data breaches to date, it was expected that the chief executive of UnitedHealth Group (UHG), Andrew Witty, would be summoned to provide testimony before lawmakers.
During his Capitol Hill appearance, Witty disclosed that the hackers accessed Change Healthcare’s systems via a single password on an account that lacked multi-factor authentication— a critical safeguard that can prevent password reuse incidents by requiring a second verification code sent to the user’s phone.
He conveyed the key message that this enormous data breach was likely preventable. Witty estimated that the incident probably affected about one-third of the American population—a figure aligned with the company’s assessments calculating the number of people it processes healthcare claims for.
June 20, 2024
UHG begins informing affected healthcare providers of stolen data
Change Healthcare officially commenced the process of notifying affected individuals about their compromised data on June 20, fulfilling legal obligations mandated under HIPAA, which may have been delayed owing to the extraordinary scale of the incident.
The company issued a notice disclosing the data breach and indicated it would start notifying the individuals identified in the “safe” copy of the stolen data. However, Change stated it “cannot confirm exactly” what information was stolen for each person, noting it may vary from one individual to another. The notice was made public on its website, as Change acknowledged the possibility of not having sufficient addresses for all impacted individuals.
Given the massive complexity of the situation, the U.S. Department of Health and Human Services intervened to state that affected healthcare providers could request UnitedHealth to inform impacted patients on their behalf, relieving smaller providers facing financial challenges during the ongoing outages.
July 29, 2024
Change Healthcare begins notifying specific affected individuals
In late June, Change Healthcare announced it would roll out notifications to individuals whose healthcare information was compromised starting in late July.
The letters sent to impacted individuals would primarily originate from Change Healthcare, or possibly the specific healthcare provider connected to the breach. These letters outline the types of information compromised, including medical records, health insurance data, and financial information related to claims and payments.
A representative from UnitedHealth indicated to TechCrunch that the review of the data was in its “final stages.”
October 24, 2024
UnitedHealth confirms over 100 million individuals affected by data breach
After more than eight months, the health insurance giant finally confirmed that over 100 million individuals were impacted by the data breach, a figure that may rise as more notifications have continued into October. The updated numbers were reported by the U.S. Department of Health and Human Services on its data breach portal on October 24.
Currently, the data breach at Change Healthcare stands as the largest digital theft of medical records in U.S. history, and one of the most significant breaches in modern history.
December 16, 2024
New revelations regarding Change hack arise from Nebraska lawsuit
In December, the state of Nebraska filed a lawsuit against Change Healthcare, alleging that the health tech firm’s security shortcomings directly led to the extensive breach affecting over 100 million Americans. The lawsuit revealed that the ALPHV hackers initially accessed the systems using the stolen credentials of a “low-level customer support employee” that lacked multi-factor authentication. Additionally, the complaint claimed the organization had poorly segmented IT systems, which allowed attackers unfettered movement throughout their internal networks.
UnitedHealth Group, the parent company of Change Healthcare, affirmed to TechCrunch that the company remained in the “final stages” of notifying individuals impacted by the data breach, indicating that the total number of affected Americans may significantly exceed the reported 100 million.
January 24, 2025
Change Healthcare announces 190 million individuals affected by the breach
On a Friday evening nearly a year post-cyberattack, UnitedHealth revealed that approximately 190 million individuals in the U.S. had their private health information compromised during the breach, surpassing half of the nation’s population. The health insurance giant disclosed its intention to inform the U.S. Department of Health and Human Services about this updated figure as per legal requirements.
The breach implicated millions of people, even those not insured by UnitedHealthcare, owing to the vast troves of medical data and billions of transactions that Change Healthcare processes daily across the U.S. healthcare framework.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
