How the ransomware attack at Change Healthcare went down A timeline TechCrunch
p
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
Google
pp
Government Policy
pp
Hardware
pp
Instagram
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Staff
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppA February 2024 ransomware attack on UnitedHealthowned health tech company Change Healthcare stands as the largest data breach of health and medical data in US historyppChange Healthcare confirmed in January 2025 that its data breach affects approximately 190 million people in America almost double the companys previous estimateppThe company said it has notified millions of individuals by mail that their personal and health information was stolen by cybercriminals and published a separate public notice for anyone whose contact information could not be foundppChange Healthcare processes billing and insurance for hundreds of thousands of hospitals pharmacies and medical practices across the US healthcare sector As such the company collects and stores vast amounts of highly sensitive medical data on patients in the United States Following a series of corporate mergers and acquisitions Change Healthcare became one of the biggest processors of US health data handling as many as half of all US health transactionsppHeres what has happened since the ransomware attack beganppIt seemed like an ordinary Wednesday afternoon until it wasnt The outage was sudden On February 21 billing systems at doctors offices and healthcare practices stopped working and insurance claims stopped processing The status page on Change Healthcares website was flooded with outage notifications affecting every part of its business and later that day the company confirmed it was experiencing a network interruption related to a cyber security issue Clearly something had gone very wrongppIt turns out that Change Healthcare invoked its security protocols and shut down its entire network to isolate intruders it found in its systems That meant sudden and widespread outages across the healthcare sector that relies on a handful of companies like Change Healthcare to handle healthcare insurance and billing claims for vast swathes of the United States It was later determined that the hackers initially broke into the companys systems over a week earlier on or around February 12ppAfter initially and incorrectly attributing the intrusion to hackers working for a government or nationstate UnitedHealth later said on February 29 that the cyberattack was in fact the work of a ransomware gang UnitedHealth said the gang represented itself to us as ALPHVBlackCat a company spokesperson told TechCrunch at the time A dark web leak site associated with the ALPHVBlackCat gang also took credit for the attack claiming to have stolen millions of Americans sensitive health and patient information giving the first indication of how many individuals this incident had affectedppALPHV aka BlackCat is a known Russianspeaking ransomwareasaservice gang Its affiliates contractors who work for the gang break into victim networks and deploy malware developed by ALPHVBlackCats leaders who take a cut of the profits collected from the ransoms collected from victims to get their files back ppKnowing that the breach was caused by a ransomware gang changed the equation of the attack from the kind of hacking that governments do sometimes to send a message to another government instead of publishing millions of peoples private information to a breach caused by financially motivated cybercriminals who are likely to employ an entirely different playbook to get their payday ppIn early March the ALPHV ransomware gang vanished The gangs leak site on the dark web which weeks earlier took credit for the cyberattack was replaced with a seizure notice claiming that UK and US law enforcement took down the gangs site But both the FBI and UK authorities denied taking down the ransomware gang as they had attempted months earlier All signs pointed to ALPHV running off with the ransom and pulling an exit scamppIn a posting the ALPHV affiliate who carried out the hack on Change Healthcare claimed that the ALPHV leadership stole 22 million paid as a ransom and included a link to a single bitcoin transaction on March 3 as proof of their claim But despite losing their share of the ransom payment the affiliate said the stolen data is still with us UnitedHealth had paid a ransom to hackers who left the data behind and disappearedppMeanwhile weeks into the cyberattack outages were still ongoing with many unable to get their prescriptions filled or having to pay cash out of pocket Military health insurance provider TriCare said all military pharmacies worldwide were affected as well ppThe American Medical Association was saying there was little information from UnitedHealth and Change Healthcare about the ongoing outages causing massive disruption that continued to ripple across the healthcare sector ppBy March 13 Change Healthcare had received a safe copy of the stolen data that it had just days earlier paid 22 million for This allowed Change to begin the process of poring through the dataset to determine whose information was stolen in the cyberattack with the aim of notifying as many affected individuals as possible ppBy late March the US government said it was upping its bounty for information on key leadership of ALPHVBlackCat and its affiliates ppBy offering 10 million to anyone who can identify or locate the individuals behind the gang the US government seemed to hope that one of the gangs insiders would turn on their former leaders It also could be seen as the US realizing the threat of having a significant number of Americans health information potentially published online ppAnd then there were two ransoms that is By midApril the aggrieved affiliate set up a new extortion racket called RansomHub and since it still had the data that it stole from Change Healthcare it demanded a second ransom from UnitedHealth In doing so RansomHub published a portion of the stolen files containing what appeared to be private and sensitive patient records as proof of their threat ppRansomware gangs dont just encrypt files they also steal as much data as possible and threaten to publish the files if a ransom isnt paid This is known as double extortion In some cases when the victim pays the ransomware gang can extort the victim again or in others extort the victims customers known as triple extortionppNow that UnitedHealth was willing to pay one ransom there was a risk that the healthcare giant would be extorted again Its why law enforcement have long advocated against paying a ransom that allows criminals to profit from cyberattacksppFor the first time UnitedHealth confirmed on April 22 more than two months after the ransomware attack began that there was a data breach and that it likely affects a substantial proportion of people in America without saying how many millions of people that entails UnitedHealth also confirmed it paid a ransom for the data but would not say how many ransoms it ultimately paidppThe company said that the stolen data includes highly sensitive information including medical records and health information diagnoses medications test results imaging and care and treatment plans and other personal informationppGiven that Change Healthcare handles data on as many as half of everyone living in the United States the data breach is likely to affect more than 100 million people at least When reached by TechCrunch a UnitedHealth spokesperson did not dispute the likely affected number but said that the companys data review was ongoing ppPerhaps unsurprisingly when your company has had one of the biggest data breaches in recent history its chief executive is bound to get called to testify before lawmakers ppThats what happened with UnitedHealth Group UHG chief executive Andrew Witty who on Capitol Hill admitted that the hackers broke into Change Healthcares systems using a single set password on a user account not protected with multifactor authentication a basic security feature that can prevent password reuse attacks by requiring a second code sent to that account holders phone ppOne of the biggest data breaches in US history was entirely preventable was the key message Witty said that the data breach was likely to affect about onethird of people living in America in line with the companys previous estimates that the breach affects around as many people that Change Healthcare processes healthcare claims forppIt took Change Healthcare until June 20 to begin formally notifying affected individuals that their information was stolen as legally required under a law commonly known as HIPAA likely delayed in part by the sheer size of the stolen dataset ppThe company published a notice disclosing the data breach and said that it would begin notifying individuals it had identified in the safe copy of the stolen data But Change said it cannot confirm exactly what data was stolen about each individual and that the information may vary from person to person Change says it was posting the notice on its website as it may not have sufficient addresses for all affected individualsppThe incident was so big and complex that the US Department of Health and Human Services stepped in and said that affected healthcare providers whose patients are ultimately affected by the breach can ask UnitedHealth to notify affected patients on their behalf an effort seen at lessening the burden on smaller providers whose finances were hit amid the ongoing outage ppThe health tech giant confirmed in late June that it would begin notifying those whose healthcare data was stolen in its ransomware attack on a rolling basis That process began in late July ppThe letters going out to affected individuals will most likely come from Change Healthcare if not the specific healthcare provider affected by the hack at Change The letter confirms what kinds of data was stolen including medical data and health insurance information and claims and payment information which Change said includes financial and banking informationppA spokesperson for UnitedHealth told TechCrunch that the data review was in its final stagesppIt took the health insurance giant more than eight months to announce but it has now confirmed that the data breach affects more than 100 million individuals The number of those affected is expected to rise given some have received data breach notifications as recently as October The US Department of Health and Human Services reported the updated number on its data breach portal on October 24ppAs it stands the data breach at Change Healthcare is now the largest digital theft of US medical records and one of the biggest data breaches in living historyppThe state of Nebraska filed a lawsuit against Change Healthcare in December accusing the health tech giant of security failings that led to the massive breach of at least 100 million people in America New details about the hack emerged in the states complaint including that the ALPHV hackers initially broke in using the stolen username and password of a lowlevel customer support employee which wasnt protected with multifactor authentication The states complaint also accuses Change Healthcare of having poorly segmented IT systems which allowed the hackers to travel freely between servers once inside the companys firewallppUnitedHealth Group which owns Change Healthcare told TechCrunch that the company was still in the final stages of notifying individuals affected by the data breach the same thing it told us in July suggesting that the number of Americans affected by the data breach will be far higher than the 100 million disclosed so farppOn a Friday evening almost a year after the cyberattack UnitedHealth confirmed that the number of people in America who had private health information stolen in the data breach stands at 190 million more than half of the population of the United States The healthcare insurance giant said it planned to notify the US Department of Health and Human Services of the updated figure as required by law at a later dateppMillions of people are affected by the breach even if they didnt have UnitedHealthcare insurance given the massive amounts of medical data and billion transactions that Change Healthcare processes across the US healthcare system every day ppTopicspp
Security Editor
ppZack Whittaker is the security editor at TechCrunch He also authors the weekly cybersecurity newsletter this week in security ppHe can be reached via encrypted message at zackwhittaker1337 on Signal You can also contact him by email or to verify outreach at zackwhittakertechcrunchcom pp 2025 TechCrunch Media LLCp
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
pp
Government Policy
pp
Hardware
pp
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Staff
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppA February 2024 ransomware attack on UnitedHealthowned health tech company Change Healthcare stands as the largest data breach of health and medical data in US historyppChange Healthcare confirmed in January 2025 that its data breach affects approximately 190 million people in America almost double the companys previous estimateppThe company said it has notified millions of individuals by mail that their personal and health information was stolen by cybercriminals and published a separate public notice for anyone whose contact information could not be foundppChange Healthcare processes billing and insurance for hundreds of thousands of hospitals pharmacies and medical practices across the US healthcare sector As such the company collects and stores vast amounts of highly sensitive medical data on patients in the United States Following a series of corporate mergers and acquisitions Change Healthcare became one of the biggest processors of US health data handling as many as half of all US health transactionsppHeres what has happened since the ransomware attack beganppIt seemed like an ordinary Wednesday afternoon until it wasnt The outage was sudden On February 21 billing systems at doctors offices and healthcare practices stopped working and insurance claims stopped processing The status page on Change Healthcares website was flooded with outage notifications affecting every part of its business and later that day the company confirmed it was experiencing a network interruption related to a cyber security issue Clearly something had gone very wrongppIt turns out that Change Healthcare invoked its security protocols and shut down its entire network to isolate intruders it found in its systems That meant sudden and widespread outages across the healthcare sector that relies on a handful of companies like Change Healthcare to handle healthcare insurance and billing claims for vast swathes of the United States It was later determined that the hackers initially broke into the companys systems over a week earlier on or around February 12ppAfter initially and incorrectly attributing the intrusion to hackers working for a government or nationstate UnitedHealth later said on February 29 that the cyberattack was in fact the work of a ransomware gang UnitedHealth said the gang represented itself to us as ALPHVBlackCat a company spokesperson told TechCrunch at the time A dark web leak site associated with the ALPHVBlackCat gang also took credit for the attack claiming to have stolen millions of Americans sensitive health and patient information giving the first indication of how many individuals this incident had affectedppALPHV aka BlackCat is a known Russianspeaking ransomwareasaservice gang Its affiliates contractors who work for the gang break into victim networks and deploy malware developed by ALPHVBlackCats leaders who take a cut of the profits collected from the ransoms collected from victims to get their files back ppKnowing that the breach was caused by a ransomware gang changed the equation of the attack from the kind of hacking that governments do sometimes to send a message to another government instead of publishing millions of peoples private information to a breach caused by financially motivated cybercriminals who are likely to employ an entirely different playbook to get their payday ppIn early March the ALPHV ransomware gang vanished The gangs leak site on the dark web which weeks earlier took credit for the cyberattack was replaced with a seizure notice claiming that UK and US law enforcement took down the gangs site But both the FBI and UK authorities denied taking down the ransomware gang as they had attempted months earlier All signs pointed to ALPHV running off with the ransom and pulling an exit scamppIn a posting the ALPHV affiliate who carried out the hack on Change Healthcare claimed that the ALPHV leadership stole 22 million paid as a ransom and included a link to a single bitcoin transaction on March 3 as proof of their claim But despite losing their share of the ransom payment the affiliate said the stolen data is still with us UnitedHealth had paid a ransom to hackers who left the data behind and disappearedppMeanwhile weeks into the cyberattack outages were still ongoing with many unable to get their prescriptions filled or having to pay cash out of pocket Military health insurance provider TriCare said all military pharmacies worldwide were affected as well ppThe American Medical Association was saying there was little information from UnitedHealth and Change Healthcare about the ongoing outages causing massive disruption that continued to ripple across the healthcare sector ppBy March 13 Change Healthcare had received a safe copy of the stolen data that it had just days earlier paid 22 million for This allowed Change to begin the process of poring through the dataset to determine whose information was stolen in the cyberattack with the aim of notifying as many affected individuals as possible ppBy late March the US government said it was upping its bounty for information on key leadership of ALPHVBlackCat and its affiliates ppBy offering 10 million to anyone who can identify or locate the individuals behind the gang the US government seemed to hope that one of the gangs insiders would turn on their former leaders It also could be seen as the US realizing the threat of having a significant number of Americans health information potentially published online ppAnd then there were two ransoms that is By midApril the aggrieved affiliate set up a new extortion racket called RansomHub and since it still had the data that it stole from Change Healthcare it demanded a second ransom from UnitedHealth In doing so RansomHub published a portion of the stolen files containing what appeared to be private and sensitive patient records as proof of their threat ppRansomware gangs dont just encrypt files they also steal as much data as possible and threaten to publish the files if a ransom isnt paid This is known as double extortion In some cases when the victim pays the ransomware gang can extort the victim again or in others extort the victims customers known as triple extortionppNow that UnitedHealth was willing to pay one ransom there was a risk that the healthcare giant would be extorted again Its why law enforcement have long advocated against paying a ransom that allows criminals to profit from cyberattacksppFor the first time UnitedHealth confirmed on April 22 more than two months after the ransomware attack began that there was a data breach and that it likely affects a substantial proportion of people in America without saying how many millions of people that entails UnitedHealth also confirmed it paid a ransom for the data but would not say how many ransoms it ultimately paidppThe company said that the stolen data includes highly sensitive information including medical records and health information diagnoses medications test results imaging and care and treatment plans and other personal informationppGiven that Change Healthcare handles data on as many as half of everyone living in the United States the data breach is likely to affect more than 100 million people at least When reached by TechCrunch a UnitedHealth spokesperson did not dispute the likely affected number but said that the companys data review was ongoing ppPerhaps unsurprisingly when your company has had one of the biggest data breaches in recent history its chief executive is bound to get called to testify before lawmakers ppThats what happened with UnitedHealth Group UHG chief executive Andrew Witty who on Capitol Hill admitted that the hackers broke into Change Healthcares systems using a single set password on a user account not protected with multifactor authentication a basic security feature that can prevent password reuse attacks by requiring a second code sent to that account holders phone ppOne of the biggest data breaches in US history was entirely preventable was the key message Witty said that the data breach was likely to affect about onethird of people living in America in line with the companys previous estimates that the breach affects around as many people that Change Healthcare processes healthcare claims forppIt took Change Healthcare until June 20 to begin formally notifying affected individuals that their information was stolen as legally required under a law commonly known as HIPAA likely delayed in part by the sheer size of the stolen dataset ppThe company published a notice disclosing the data breach and said that it would begin notifying individuals it had identified in the safe copy of the stolen data But Change said it cannot confirm exactly what data was stolen about each individual and that the information may vary from person to person Change says it was posting the notice on its website as it may not have sufficient addresses for all affected individualsppThe incident was so big and complex that the US Department of Health and Human Services stepped in and said that affected healthcare providers whose patients are ultimately affected by the breach can ask UnitedHealth to notify affected patients on their behalf an effort seen at lessening the burden on smaller providers whose finances were hit amid the ongoing outage ppThe health tech giant confirmed in late June that it would begin notifying those whose healthcare data was stolen in its ransomware attack on a rolling basis That process began in late July ppThe letters going out to affected individuals will most likely come from Change Healthcare if not the specific healthcare provider affected by the hack at Change The letter confirms what kinds of data was stolen including medical data and health insurance information and claims and payment information which Change said includes financial and banking informationppA spokesperson for UnitedHealth told TechCrunch that the data review was in its final stagesppIt took the health insurance giant more than eight months to announce but it has now confirmed that the data breach affects more than 100 million individuals The number of those affected is expected to rise given some have received data breach notifications as recently as October The US Department of Health and Human Services reported the updated number on its data breach portal on October 24ppAs it stands the data breach at Change Healthcare is now the largest digital theft of US medical records and one of the biggest data breaches in living historyppThe state of Nebraska filed a lawsuit against Change Healthcare in December accusing the health tech giant of security failings that led to the massive breach of at least 100 million people in America New details about the hack emerged in the states complaint including that the ALPHV hackers initially broke in using the stolen username and password of a lowlevel customer support employee which wasnt protected with multifactor authentication The states complaint also accuses Change Healthcare of having poorly segmented IT systems which allowed the hackers to travel freely between servers once inside the companys firewallppUnitedHealth Group which owns Change Healthcare told TechCrunch that the company was still in the final stages of notifying individuals affected by the data breach the same thing it told us in July suggesting that the number of Americans affected by the data breach will be far higher than the 100 million disclosed so farppOn a Friday evening almost a year after the cyberattack UnitedHealth confirmed that the number of people in America who had private health information stolen in the data breach stands at 190 million more than half of the population of the United States The healthcare insurance giant said it planned to notify the US Department of Health and Human Services of the updated figure as required by law at a later dateppMillions of people are affected by the breach even if they didnt have UnitedHealthcare insurance given the massive amounts of medical data and billion transactions that Change Healthcare processes across the US healthcare system every day ppTopicspp
Security Editor
ppZack Whittaker is the security editor at TechCrunch He also authors the weekly cybersecurity newsletter this week in security ppHe can be reached via encrypted message at zackwhittaker1337 on Signal You can also contact him by email or to verify outreach at zackwhittakertechcrunchcom pp 2025 TechCrunch Media LLCp
