USAFebruary 21, 202411 min read
# Change Healthcare: 190 Million Patient Records Breached in $2.87 Billion Ransomware Attack - Largest Healthcare Data Breach in U.S. History
On February 21, 2024, an ALPHV/BlackCat ransomware affiliate deployed
ransomware across Change Healthcare's systems after gaining initial access
nine days earlier through a Citrix remote-access portal protected by stolen
credentials and no multi-factor authentication. The attackers exfiltrated
six terabytes of data--including medical records, diagnoses, Social Security
numbers, and insurance information for up to 190 million individuals--before
encrypting the network. UnitedHealth Group, Change Healthcare's parent company,
paid a $22 million Bitcoin ransom, only to face a second extortion attempt
after BlackCat's exit scam left the affiliate unpaid. The total cost of the
incident reached $2.87 billion in 2024, and the attack disrupted pharmacy
operations, claims processing, and electronic payments nationwide for weeks.
## Key Facts
- .**What:** ALPHV/BlackCat ransomware hit Change Healthcare via a portal without MFA.
- .**Who:** Up to 190 million patients across the U.S. healthcare system.
- .**Data Exposed:** Medical records, SSNs, insurance IDs, and billing information.
- .**Outcome:** $22M ransom paid; total cost reached $2.87 billion for UnitedHealth.
## What Was Exposed
- .Protected health information for 190 to 192.7 million individuals--approximately 2.5 times the 2015 Anthem breach
- .Medical records including diagnoses, medications, test results, imaging data, and care and treatment plans
- .Social Security numbers for a substantial subset of affected individuals
- .Health insurance member IDs, Medicaid and Medicare identification numbers, and claims data
- .Payment and billing information including banking details used for claims reimbursement
- .Full names, addresses, dates of birth, phone numbers, and email addresses
- .Six terabytes of data exfiltrated in total before ransomware encryption was deployed
Change Healthcare processes approximately one-third of all patient records in the
United States, serving as a critical clearinghouse between healthcare providers,
insurers, and pharmacies. The breadth of data it handles means the breach did not
affect a single hospital system or insurance plan but cut across the entire U.S.
healthcare ecosystem. Individuals whose data was exposed may never have directly
interacted with Change Healthcare or been aware that their medical records flowed
through its systems.
The combination of medical records with financial identifiers and Social Security
numbers creates compounding risk. Medical identity theft--where stolen health
data is used to obtain fraudulent care, file false insurance claims, or acquire
prescription drugs--is significantly more difficult to detect and remediate
than financial identity theft. Fraudulent entries in a victim's medical record
can affect future diagnoses, insurance eligibility, and even emergency treatment
decisions.
## Technical Failure Chain
The initial access vector was a Citrix remote-access portal used by Change
Healthcare employees and contractors. The portal was configured to accept
username-and-password authentication without multi-factor authentication (MFA).
The ALPHV/BlackCat affiliate obtained valid credentials--likely through
infostealer malware or credential-stuffing attacks using previously leaked
passwords--and logged into the portal on February 12, 2024.
Over the following nine days, the attackers moved laterally through Change
Healthcare's internal network, escalating privileges, mapping infrastructure,
and systematically exfiltrating data. The nine-day dwell time--while short
by historical standards--was sufficient to extract six terabytes of sensitive
data. The exfiltration volume indicates either a lack of data loss prevention
controls on outbound traffic or thresholds set too high to detect bulk transfers
of this magnitude.
On February 21, the attackers deployed ransomware, encrypting systems across
Change Healthcare's network and immediately disrupting operations. The encryption
triggered a cascading failure across the U.S. healthcare system. Pharmacies
including CVS and Walgreens could not process electronic prescriptions. Claims
processing halted. Electronic payment systems between providers and insurers
broke down. For weeks, hospitals and clinics across the country reverted to
manual processes or simply could not process claims at all.
UnitedHealth Group paid a $22 million Bitcoin ransom to the ALPHV/BlackCat
operation. In a development that underscored the inherent unreliability of
ransomware negotiations, the BlackCat operators then executed an exit scam:
they pocketed the $22 million payment and shut down their infrastructure
without sharing the ransom with the affiliate who conducted the actual attack.
The unpaid affiliate subsequently partnered with a different ransomware operation,
RansomHub, and launched a second extortion attempt against UnitedHealth Group.
UnitedHealth did not pay the second demand.
## Regulatory Analysis
The Change Healthcare breach sits squarely within the jurisdiction of the
Health Insurance Portability and Accountability Act (HIPAA), and the scale of
the incident has made it the defining test case for HIPAA enforcement in the
modern ransomware era. The Department of Health and Human Services' Office
for Civil Rights (HHS/OCR) opened a formal HIPAA investigation shortly after
the breach was disclosed. As of early 2025, no HIPAA fine has been announced,
but the investigation remains active. Given that HHS/OCR's largest prior
HIPAA penalty was $16 million against Anthem in 2018, the Change Healthcare
case--involving 2.5 times as many records and a more egregious security
failure--will set the new enforcement ceiling.
The specific technical failure--a remote-access portal without MFA--is
particularly damaging from a regulatory perspective. HHS/OCR has issued
repeated guidance emphasizing MFA as a critical safeguard for remote access
to systems containing protected health information. The HIPAA Security Rule
requires covered entities and business associates to implement access controls
appropriate to the sensitivity of the data they handle. A Citrix portal
providing network-level access to systems containing 190 million patient
records, protected only by a username and password, represents a failure so
fundamental that it undermines any claim of reasonable security compliance.
CEO Andrew Witty acknowledged this directly in his May 2024 testimony before
the Senate Finance Committee and the House Energy and Commerce Committee,
stating that MFA had not been enabled on the compromised portal.
The litigation response has been massive. At least 78 lawsuits were filed
in the months following the breach, and these have been consolidated into
a multidistrict litigation (MDL 3:24-md-03090) in the District of Minnesota.
The Nebraska Attorney General filed a separate state enforcement action.
Settlement framework discussions began in April 2025, but the sheer number
of affected individuals--nearly 60 percent of the U.S. population--and
the severity of the data exposure mean that any resolution will be measured
in billions of dollars. UnitedHealth Group distributed approximately $9
billion in no-interest loans to healthcare providers whose cash flow was
disrupted by the attack, a figure that provides some measure of the systemic
damage beyond the data exposure itself.
The breach has also accelerated legislative discussions about updating HIPAA
for the ransomware era. The original HIPAA Security Rule, drafted in the
late 1990s and last substantially updated in 2013, relies on an
“addressable” versus “required” framework that allows covered entities
significant discretion in choosing security controls. MFA, for example, is
not explicitly mandated--it falls under the general requirement for access
controls that the entity deems appropriate. HHS proposed updates to the
HIPAA Security Rule in late 2024 that would make MFA mandatory for remote
access to electronic protected health information. The Change Healthcare
breach is cited directly in the rulemaking justification as evidence that
the current discretionary framework is insufficient.
## What Should Have Been Done
**Multi-Factor Authentication on All Remote Access:** The single
most consequential failure in this breach was the absence of MFA on a Citrix
portal that provided access to systems containing 190 million patient records.
MFA has been a baseline security recommendation from every major cybersecurity
framework--NIST, CIS, CISA--for over a decade. Its absence on a remote-access
gateway for the largest healthcare claims processor in the United States is
indefensible. Every remote-access entry point must require MFA, and organizations
should implement phishing-resistant MFA (FIDO2/WebAuthn) rather than SMS or
app-based one-time codes, which remain vulnerable to real-time phishing and
SIM-swapping attacks. UnitedHealth Group's acquisition of Change Healthcare
in 2022 should have triggered a comprehensive security integration assessment
that would have identified this gap immediately.
**Network Segmentation and Data Loss Prevention:** The attackers
exfiltrated six terabytes of data over nine days without triggering alerts
sufficient to stop the breach before ransomware deployment. This indicates
inadequate network segmentation between the remote-access environment and
production databases, and insufficient data loss prevention monitoring on
outbound traffic. A properly segmented architecture would require the
attacker to compromise multiple security boundaries to move from a Citrix
portal to databases containing patient records. Egress monitoring with
anomaly detection should flag any outbound data transfer measured in
terabytes, regardless of whether it is encrypted or staged across multiple
sessions.
**Ransomware Payment Strategy:** The $22 million ransom payment
yielded no meaningful benefit. BlackCat's exit scam meant the payment did
not even secure data deletion, and the subsequent second extortion attempt
by the unpaid affiliate demonstrated the fundamental unreliability of
ransomware negotiations. Organizations must develop and rehearse ransomware
response plans that prioritize containment, backup restoration, and law
enforcement coordination over ransom payment. The FBI, CISA, and HHS
consistently advise against paying ransoms precisely because payment funds
criminal operations and provides no guarantee of data recovery or deletion.
UnitedHealth's $22 million payment ultimately financed a criminal exit
scam and did nothing to reduce the harm to 190 million patients.
The Change Healthcare breach compromised the medical records of 190 million
Americans because a single Citrix portal lacked multi-factor authentication.
A $22 million ransom payment funded a criminal exit scam, a second extortion
attempt followed, and the total cost exceeded $2.87 billion. For any
organization in the healthcare sector--or any sector handling sensitive
data at scale--the lesson is unambiguous: MFA on remote access is not
optional, network segmentation is not negotiable, and ransom payments are
not a recovery strategy.