How the Ransomware Attack on Change Healthcare Unfolded: A Timeline
A ransomware attack on Change Healthcare, a health tech company owned by UnitedHealth, likely ranks as one of the largest breaches of U.S. health and medical data in history. Months after the attack, individuals across the U.S. are being notified by mail that their personal and health information was stolen. At least 100 million people are known to be affected by the breach.
Change Healthcare processes billing and insurance for many healthcare providers, handling vast amounts of sensitive medical data. The company became one of the largest processors of U.S. health data through a series of mergers and acquisitions, managing between one-third and one-half of all U.S. health transactions. Here’s a breakdown of the events following the ransomware attack.
February 21, 2024: First Outages as Cyberattack Unfolds
What seemed like a routine Wednesday afternoon turned into chaos as billing systems at healthcare providers went offline, and insurance claims stopped processing. Change Healthcare’s website was flooded with outage reports. The company soon confirmed a “network interruption related to a cybersecurity issue” and invoked its security protocols, shutting down its entire network to contain the breach. The hackers had gained access on or around February 12, 2024.
February 29, 2024: UnitedHealth Confirms Ransomware Attack
After initially misidentifying the attackers as state-sponsored hackers, UnitedHealth confirmed the breach was carried out by the ransomware gang ALPHV/BlackCat. The group, a Russian-speaking criminal organization, took credit for the attack on a dark web leak site, revealing they had stolen sensitive health information from millions of Americans.
March 3-5, 2024: UnitedHealth Pays $22 Million, Hackers Disappear
In early March, ALPHV vanished from its dark web leak site after receiving a $22 million ransom payment from UnitedHealth. The site was replaced by a fake law enforcement seizure notice. However, both the FBI and U.K. authorities denied involvement in the takedown. The affiliate behind the hack claimed the ALPHV leadership had taken the ransom money, leaving the stolen data behind.
March 13, 2024: Ongoing Disruption and Data Breach Fears
Weeks after the attack, widespread outages continued, disrupting pharmacies, insurance claims, and military health services. The American Medical Association reported a lack of communication from UnitedHealth and Change Healthcare about the incident. By March 13, Change Healthcare confirmed it had received a “safe” copy of the stolen data and began the process of notifying affected individuals.
March 28, 2024: U.S. Government Increases Bounty on ALPHV Leaders
The U.S. government offered a $10 million reward for information leading to the capture of ALPHV’s leadership, signaling the severity of the breach and the threat of having sensitive health data exposed online.
April 15, 2024: New Ransom Gang Forms, Data Published
An affiliate of ALPHV formed a new ransomware group, RansomHub, and demanded a second ransom from UnitedHealth. The group published a portion of the stolen health data as proof of their threat, continuing the cycle of “double extortion” that involves both data theft and ransom demands.
April 22, 2024: UnitedHealth Confirms Extensive Data Theft
UnitedHealth officially acknowledged that the breach affected a “substantial proportion of people in America,” although the exact number was still unclear. The stolen data included sensitive medical records, diagnoses, medications, test results, and other personal health information.
May 1, 2024: UnitedHealth CEO Testifies About Lack of Basic Cybersecurity
Under questioning from lawmakers, UnitedHealth CEO Andrew Witty testified that the hackers gained access to Change Healthcare’s systems using a single password on an account that lacked multi-factor authentication (MFA). Witty emphasized that the breach was entirely preventable and confirmed that the incident likely affected around one-third of the U.S. population.
June 20, 2024: Formal Notifications Begin for Affected Providers
By June, Change Healthcare began notifying affected healthcare providers about the breach, but delays in contacting individuals were inevitable due to the size of the stolen dataset. The U.S. Department of Health and Human Services allowed healthcare providers to delegate notification duties to UnitedHealth to ease the burden on smaller providers.
July 29, 2024: Notifications to Affected Individuals Begin
Change Healthcare started notifying individuals whose data had been stolen, with letters outlining the types of stolen information, including medical, health insurance, and financial details. The notifications continued into the fall.
October 24, 2024: At Least 100 Million People Affected
UnitedHealth confirmed that the breach impacted at least 100 million individuals. The U.S. Department of Health and Human Services updated its data breach portal, and notifications to affected individuals continued. The breach is now one of the largest health data breaches in U.S. history.
December 16, 2024: Nebraska Files Lawsuit, New Details Emerge
The state of Nebraska filed a lawsuit against Change Healthcare, alleging security failures that contributed to the massive breach. New details revealed that the hackers initially gained access using the stolen credentials of a “low-level customer support employee” with no multi-factor authentication. The lawsuit also accused Change Healthcare of poorly segmented IT systems, allowing hackers to move freely within its network. UnitedHealth confirmed that notifications were still ongoing, suggesting the number of affected individuals could be much higher than 100 million.
This timeline outlines the severity and ongoing impact of one of the largest data breaches in U.S. history, which continues to unfold months after the attack.
A ransomware attack on Change Healthcare, a health tech company owned by UnitedHealth, likely ranks as one of the largest breaches of U.S. health and medical data in history. Months after the attack, individuals across the U.S. are being notified by mail that their personal and health information was stolen. At least 100 million people…