USAFebruary 21, 202411 min read
USAFebruary 21, 202411 min read On February 21, 2024, an ALPHV/BlackCat ransomware affiliate deployed ransomware across Change Healthcare's systems after gaining initial access nine days earlier through a Citrix remote-access portal protected by stolen credentials and no multi-factor authentication. The attackers exfiltrated six terabytes of data--including medical records, diagnoses, Social Security numbers, and insurance information for up to 190 million individuals--before encrypting the network.
Key Facts
- WhatALPHV/BlackCat ransomware hit Change Healthcare via a portal without MFA.
- WhoUp to 190 million patients across the U.S. healthcare system.
- Data ExposedMedical records, SSNs, insurance IDs, and billing information.
- Outcome$22M ransom paid; total cost reached $3.09 billion for UnitedHealth.
What Was Exposed
- Protected health information for 190 to 192.7 million individuals--approximately 2.5 times the 2015 Anthem breach
- Medical records including diagnoses, medications, test results, imaging data, and care and treatment plans
- Social Security numbers for a substantial subset of affected individuals
- Health insurance member IDs, Medicaid and Medicare identification numbers, and claims data
- Payment and billing information including banking details used for claims reimbursement
- Full names, addresses, dates of birth, phone numbers, and email addresses
- Six terabytes of data exfiltrated in total before ransomware encryption was deployed
Change Healthcare processes approximately one-third of all patient records in the United States, serving as a critical clearinghouse between healthcare providers, insurers, and pharmacies. The breadth of data it handles means the breach did not affect a single hospital system or insurance plan but cut across the entire U.S.
healthcare ecosystem. Individuals whose data was exposed may never have directly interacted with Change Healthcare or been aware that their medical records flowed through its systems.
The combination of medical records with financial identifiers and Social Security numbers creates compounding risk. Medical identity theft--where stolen health data is used to obtain fraudulent care, file false insurance claims, or acquire prescription drugs--is significantly more difficult to detect and remediate than financial identity theft. Fraudulent entries in a victim's medical record can affect future diagnoses, insurance eligibility, and even emergency treatment decisions.
Technical Failure Chain
The initial access vector was a Citrix remote-access portal used by Change Healthcare employees and contractors. The portal was configured to accept username-and-password authentication without multi-factor authentication (MFA).
The ALPHV/BlackCat affiliate obtained valid credentials--likely through infostealer malware or credential-stuffing attacks using previously leaked passwords--and logged into the portal on February 12, 2024.
Over the following nine days, the attackers moved laterally through Change Healthcare's internal network, escalating privileges, mapping infrastructure, and systematically exfiltrating data. The nine-day dwell time--while short by historical standards--was sufficient to extract six terabytes of sensitive data. The exfiltration volume indicates either a lack of data loss prevention controls on outbound traffic or thresholds set too high to detect bulk transfers of this magnitude.
On February 21, the attackers deployed ransomware, encrypting systems across Change Healthcare's network and immediately disrupting operations. The encryption triggered a cascading failure across the U.S. healthcare system. Pharmacies including CVS and Walgreens could not process electronic prescriptions. Claims processing halted. Electronic payment systems between providers and insurers broke down. For weeks, hospitals and clinics across the country reverted to manual processes or simply could not process claims at all.
UnitedHealth Group paid a $22 million Bitcoin ransom to the ALPHV/BlackCat operation. In a development that underscored the inherent unreliability of ransomware negotiations, the BlackCat operators then executed an exit scam:
they pocketed the $22 million payment and shut down their infrastructure without sharing the ransom with the affiliate who conducted the actual attack.
The unpaid affiliate subsequently partnered with a different ransomware operation, RansomHub, and launched a second extortion attempt against UnitedHealth Group.
UnitedHealth did not pay the second demand.
Regulatory Analysis
The Change Healthcare breach sits squarely within the jurisdiction of the Health Insurance Portability and Accountability Act (HIPAA), and the scale of the incident has made it the defining test case for HIPAA enforcement in the modern ransomware era. The Department of Health and Human Services' Office for Civil Rights (HHS/OCR) opened a formal HIPAA investigation shortly after the breach was disclosed. As of early 2025, no HIPAA fine has been announced, but the investigation remains active.
Given that HHS/OCR's largest prior HIPAA penalty was $16 million against Anthem in 2018, the Change Healthcare case--involving 2.5 times as many records and a more egregious security failure--will set the new enforcement ceiling.
The specific technical failure--a remote-access portal without MFA--is particularly damaging from a regulatory perspective. HHS/OCR has issued repeated guidance emphasizing MFA as a critical safeguard for remote access to systems containing protected health information. The HIPAA Security Rule requires covered entities and business associates to implement access controls appropriate to the sensitivity of the data they handle.
A Citrix portal providing network-level access to systems containing 190 million patient records, protected only by a username and password, represents a failure so fundamental that it undermines any claim of reasonable security compliance.
CEO Andrew Witty acknowledged this directly in his May 2024 testimony before the Senate Finance Committee and the House Energy and Commerce Committee, stating that MFA had not been enabled on the compromised portal.
The litigation response has been massive. At least 78 lawsuits were filed in the months following the breach, and these have been consolidated into a multidistrict litigation (MDL 3:24-md-03090) in the District of Minnesota.
The Nebraska Attorney General filed a separate state enforcement action.
Settlement framework discussions began in April 2025, but the sheer number of affected individuals--nearly 60 percent of the U.S. population--and the severity of the data exposure mean that any resolution will be measured in billions of dollars. UnitedHealth Group distributed approximately $9 billion in no-interest loans to healthcare providers whose cash flow was disrupted by the attack, a figure that provides some measure of the systemic damage beyond the data exposure itself.
The breach has also accelerated legislative discussions about updating HIPAA for the ransomware era. The original HIPAA Security Rule, drafted in the late 1990s and last substantially updated in 2013, relies on an “addressable” versus “required” framework that allows covered entities significant discretion in choosing security controls. MFA, for example, is not explicitly mandated--it falls under the general requirement for access controls that the entity deems appropriate.
HHS proposed updates to the HIPAA Security Rule in late 2024 that would make MFA mandatory for remote access to electronic protected health information. The Change Healthcare breach is cited directly in the rulemaking justification as evidence that the current discretionary framework is insufficient.
What Should Have Been Done
Multi-Factor Authentication on All Remote Access: The single most consequential failure in this breach was the absence of MFA on a Citrix portal that provided access to systems containing 190 million patient records.
MFA has been a baseline security recommendation from every major cybersecurity framework--NIST, CIS, CISA--for over a decade. Its absence on a remote-access gateway for the largest healthcare claims processor in the United States is indefensible. Every remote-access entry point must require MFA, and organizations should implement phishing-resistant MFA (FIDO2/WebAuthn) rather than SMS or app-based one-time codes, which remain vulnerable to real-time phishing and SIM-swapping attacks.
UnitedHealth Group's acquisition of Change Healthcare in 2022 should have triggered a comprehensive security integration assessment that would have identified this gap immediately.
Network Segmentation and Data Loss Prevention: The attackers exfiltrated six terabytes of data over nine days without triggering alerts sufficient to stop the breach before ransomware deployment. This indicates inadequate network segmentation between the remote-access environment and production databases, and insufficient data loss prevention monitoring on outbound traffic. A properly segmented architecture would require the attacker to compromise multiple security boundaries to move from a Citrix portal to databases containing patient records.
Egress monitoring with anomaly detection should flag any outbound data transfer measured in terabytes, regardless of whether it is encrypted or staged across multiple sessions.
Ransomware Payment Strategy: The $22 million ransom payment yielded no meaningful benefit. BlackCat's exit scam meant the payment did not even secure data deletion, and the subsequent second extortion attempt by the unpaid affiliate demonstrated the fundamental unreliability of ransomware negotiations. Organizations must develop and rehearse ransomware response plans that prioritize containment, backup restoration, and law enforcement coordination over ransom payment.
The FBI, CISA, and HHS consistently advise against paying ransoms precisely because payment funds criminal operations and provides no guarantee of data recovery or deletion.
UnitedHealth's $22 million payment ultimately financed a criminal exit scam and did nothing to reduce the harm to 190 million patients.
The Change Healthcare breach compromised the medical records of 190 million Americans because a single Citrix portal lacked multi-factor authentication.
A $22 million ransom payment funded a criminal exit scam, a second extortion attempt followed, and the total cost exceeded $3.09 billion. For any organization in the healthcare sector--or any sector handling sensitive data at scale--the lesson is unambiguous: MFA on remote access is not optional, network segmentation is not negotiable, and ransom payments are not a recovery strategy.