The Change Healthcare Attack: How Stolen Credentials and a Missing MFA Config Exposed 190 Million Patient Records

‍​​‌​‌​​‌​​​​​‌‌​​‌​​​‌‌​​​‌‌​‌‌​​‌‌‌​​​‌‌​​​‌‌​‌​‌‌‌​​​‌‌‌‌‌‌‌​​‍On 21 February 2024, UnitedHealth Group disclosed that its subsidiary Change Healthcare was experiencing a cyber attack. The attacker group, ALPHV (also known as BlackCat), had used stolen credentials to log into a Citrix remote access portal that didn't have multi-factor authentication (MFA) enabled. They spent nine days inside the network before deploying ransomware.

The fallout spread across the whole US healthcare system. Change Healthcare handles 15 billion healthcare transactions a year and touches one in every three patient records in the country. When its systems went offline, prescription processing stopped, insurance eligibility checks failed, and claims payments froze. Pharmacies couldn't verify whether patients had active coverage, and hospitals couldn't get authorisation for scheduled procedures. The American Hospital Association (AHA) surveyed nearly 1,000 hospitals and found that 74% reported direct patient care impact.

As of July 2025, roughly 192.7 million people have been told their data was exposed. The HHS Office for Civil Rights (OCR) called it the largest healthcare data breach in US history.

What everyone thinks happened

The simplified version goes like this: a skilled ransomware group found a complex flaw in Change Healthcare's systems, deployed ransomware, and demanded payment. The company paid and things went back to normal.

Almost none of that version is accurate.

The initial access point was a Citrix remote access portal without MFA, not a zero-day vulnerability or a novel exploit chain. It was a remote access application protected by a username and password alone, sitting on the internet. The attackers logged in with stolen credentials, which is the digital equivalent of walking through a door that's been left unlocked.

The ransomware deployment was not the beginning of the attack but the final step after nine days of access. The attackers had nine days of undetected access during which they moved laterally through the network and exfiltrated data. The ransomware was the final step, not the first.

And paying the ransom didn't resolve the situation. The ALPHV operators took the USD 22 million payment and disappeared. The affiliate who actually conducted the attack was left unpaid, still holding a copy of the stolen data. That affiliate then took the data to a different ransomware group for a second extortion attempt. UnitedHealth Group faced two separate ransom demands from two different groups for the same breach.

What actually happened: the technical walkthrough

The initial access: credentials and a missing MFA configuration

UnitedHealth Group CEO Andrew Witty confirmed the attack chain in sworn testimony before the US Senate Finance Committee on 1 May 2024. The threat actors used stolen credentials to remotely access a Change Healthcare Citrix portal. The portal did not have multi-factor authentication enabled.

Senator Ron Wyden, chairman of the Senate Finance Committee, described MFA as "an industry-standard cyber defence" in his opening statement. He called the breach "completely preventable and the direct result of corporate negligence."

How the credentials were stolen has not been publicly disclosed. It could've been phishing, credential stuffing, a dark web purchase, or another method. What's known is that the credentials worked, and no second factor stood between the attacker and the network.

Witty testified that UnitedHealth was "continuing to investigate as to exactly why MFA was not on that particular service." That raises a question that goes beyond this one breach. A company with USD 324 billion in annual revenue processes USD 1.5 trillion in medical claims each year. How does a single internet-facing remote access portal end up without MFA?

Nine days of lateral movement

Once inside, the attackers moved across the network for nine days before deploying ransomware. Witty described this movement as happening "in more sophisticated ways" but didn't give detail on the specific methods used.

CISA's advisory on ALPHV/BlackCat (AA23-353A, updated 27 February 2024) covers the group's typical tactics. ALPHV affiliates install remote access tools like AnyDesk and Splashtop to keep their foothold. They use the open-source Evilginx2 tool to grab MFA tokens, login details, and session cookies. They then stage stolen data using tools like Mega sync.

Nine days is a long time for attackers to stay hidden. During that window, they were pulling data from a company that handles one in three patient records in America. The gap between the first login and the ransomware going live was when most of the damage happened.

The ransomware deployment and response

On roughly 21 February 2024, the ransomware went live. UnitedHealth spotted the attack and cut all links to Change Healthcare's data centres to stop it spreading. The company filed an SEC 8-K disclosure on the same day, initially blaming "a suspected nation-state associated cyber security threat actor." ALPHV/BlackCat later claimed it was them.

Change Healthcare pulled the affected system offline and shut down other systems to contain the spread. That step, while needed, meant every healthcare group that relied on Change Healthcare's systems lost access at once.

The scale of disruption

The impact hit immediately and spread across the entire country. The Congressional Research Service (CRS) described "a cascade of real-world consequences across the nation, with individuals unable to use their insurance coverage for prescriptions and cash flow issues for pharmacies as payments were frozen."

The AHA surveyed nearly 1,000 hospitals in March 2024 and the results quantified the damage:

• 74% reported direct patient care impact, including delays in authorisations for medically necessary care
• 94% reported financial impact from the attack
• 33% reported that the attack disrupted more than half of their revenue
• 60% required two weeks to three months to resume normal operations after Change Healthcare's services were restored

Change Healthcare runs more than 100 critical functions that keep the US healthcare system going. The AHA said the attack "endangered patients' access to care, disrupted critical clinical and eligibility operations, and threatened the solvency of the nation's provider network."

On 5 March 2024, HHS put emergency measures in place. It helped Medicaid and Medicare members switch clearinghouses, eased prior authorisation rules, and sped up payments to affected providers. UnitedHealth Group put up over USD 9 billion in advance funding and interest-free loans to keep care providers running.

The ransom payment, the exit scam, and the second extortion

A USD 22 million decision

Witty confirmed in his Senate testimony that UnitedHealth paid the ransom. He said the decision "was mine" and it was "one of the hardest decisions I've ever had to make." The amount was USD 22 million, paid in Bitcoin (approximately 350 BTC).

Blockchain analysis from TRM Labs and Recorded Future confirmed the payment. A single crypto wallet took in 350 bitcoins worth roughly USD 22 million. That wallet had received 1,401 bitcoins in total, worth over USD 92 million, before being drained.

The ALPHV exit scam

What happened next was reported widely by security researchers, though no official government statement's confirmed the details.

In early March 2024, the ALPHV/BlackCat operators put up what looked like an FBI seizure banner on their dark web leak site. Security researcher Fabian Wosar spotted it as fake. He noted it had been "extracted from an archive" of the real December 2023 seizure and the site was running "a Python SimpleHTTPServer to serve the fake banner." Both Europol and the UK's National Crime Agency denied any role in a new seizure.

The operators had taken the full USD 22 million and vanished in a textbook exit scam. They collected the ransom from UnitedHealth, refused to pay the affiliate who'd actually done the attack, put up a fake seizure banner as cover, and shut down.

The second extortion attempt via RansomHub

The affiliate behind the Change Healthcare attack, known as "Notchy," posted on the RAMP dark web forum. Notchy claimed ALPHV had taken the full ransom and refused to share it. Notchy also said they still held a copy of all 4 terabytes (TB) of stolen Change Healthcare data.

In April 2024, Notchy took that data to RansomHub, a different ransomware-as-a-service (RaaS) group that had started up in February 2024. RansomHub published files with patient details: billing records, insurance data, and medical notes, plus contracts between Change Healthcare and its partners. They demanded more money and threatened to sell the data to the highest bidder within 12 days.

UnitedHealth refused to pay a second ransom demand.

This shows one of the core problems with paying ransomware demands. Even after paying, UnitedHealth had no way to know the data would be deleted. They had no control over who held copies and no shield against further extortion from different groups using the same stolen data.

Myth versus fact

Myth: the attackers exploited a sophisticated zero-day vulnerability

The initial access used stolen credentials on a portal without MFA. No zero-day was involved at any stage of the breach. The attack exploited a config gap that's been flagged as a critical risk for over a decade. CISA, NIST, and nearly every cybersecurity framework out there call for MFA on all remote access points. The attack worked because a basic, well-known control was missing from one application.

Myth: paying the ransom resolved the situation

UnitedHealth paid USD 22 million and got nothing for it. The ALPHV operators took the money and vanished. The affiliate who'd done the attack kept a full copy of the stolen data and used it for a second extortion try through a different group. The data ended up partly published online anyway. The ransom payment didn't prevent data exposure, didn't guarantee deletion, and didn't stop further extortion demands.

Myth: this was an attack on one company

Change Healthcare handles 15 billion transactions a year and provides more than 100 critical functions to the US healthcare system. When its systems went down, the effects rippled across the whole sector. Pharmacies, hospitals, clinics, insurers, and patients were all hit. The AHA said the disruption threatened "the solvency of the nation's provider network." This was not a contained breach at one company. It was a systemic event driven by concentration risk in healthcare infrastructure.

Myth: ALPHV was a new threat group

ALPHV/BlackCat had been active for years before the Change Healthcare attack. The DOJ ran a takedown against ALPHV's infrastructure in December 2023, just two months before this breach. The FBI built a decryption tool that helped over 500 victims and saved roughly USD 68 million in ransom demands. CISA called ALPHV "the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world."

The December 2023 takedown prompted ALPHV's admin to post a message urging affiliates to target hospitals in retaliation. The Change Healthcare attack followed within weeks.

What would have reduced the impact

MFA on every remote access point

This is the single control that would've prevented the initial access. The Citrix portal was protected by credentials alone. Phishing-resistant MFA (hardware tokens or FIDO2, not SMS or push notifications) would've stopped the attackers even if they had valid credentials. CISA's advisory specifically recommends phishing-resistant MFA because ALPHV affiliates use the Evilginx2 framework to bypass standard MFA methods through adversary-in-the-middle attacks.

Network segmentation to limit lateral movement

Nine days of lateral movement inside the network points to a detection and containment failure. Segmenting critical systems apart from each other would've limited how far the breach could spread. If the Citrix portal's segment had been walled off from systems holding patient records and claims data, the attackers would've had to break through more barriers to reach anything sensitive.

Monitoring for anomalous lateral movement

The nine-day gap between first access and ransomware going live was the window where detection could've broken the attack chain. Watching for odd login patterns, surprise remote access tool installs (AnyDesk, Splashtop), and unusual data transfers would've raised red flags during that window.

Concentration risk assessment for healthcare infrastructure

Senator Wyden raised a structural point: "Regulators must prevent companies in critical infrastructure sectors like health care from growing so large that they pose a systemic risk, as occurred here." When one company handles one in three patient records and runs more than 100 critical functions, a single breach becomes a sector-wide crisis. That kind of concentration risk is not just a cybersecurity problem. It's a business continuity risk as well.

Incident response planning with manual fallbacks

The groups that coped best were those with manual backup steps for claims processing, prescription checks, and eligibility verification. Response plans that assumed all digital systems might go down at once proved more useful than plans focused only on restoring the hacked systems.

What changed after the attack

Regulatory response

The HHS Office for Civil Rights opened a formal investigation into Change Healthcare and UnitedHealth Group. The probe focused on whether a breach of unprotected health data occurred and whether the companies followed HIPAA rules. OCR Director Melanie Fontes Rainer called the attack a "cyberattack of unprecedented magnitude." (as noted in the October 2024 escalation review).

In December 2024, HHS proposed updates to the HIPAA Security Rule. The changes would require health plans, clearinghouses, and most providers to strengthen protections for patient data. The Change Healthcare breach was directly cited as the reason for the proposed rule.

Legislative response

Senator Wyden pushed the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) to investigate UnitedHealth Group's cyber practices. In September 2024, Senators Wyden and Warner brought forward a healthcare cybersecurity bill to set binding security standards for large healthcare firms. Wyden also demanded copies of audit reports from UnitedHealth Group in October 2024.

Criminal prosecutions

In 2025, two Americans who'd worked as ALPHV/BlackCat affiliates pleaded guilty to deploying ransomware against multiple US victims between April and December 2023. Ryan Goldberg (40, Georgia) and Kevin Martin (36, Texas) had agreed to give the ALPHV operators a 20% cut of any ransoms in exchange for access to the ransomware platform.

A detail from the DOJ press release stands out: "All three men worked in the cybersecurity industry." They "had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing."

The ALPHV ecosystem aftermath

After the exit scam, former ALPHV affiliates migrated to other RaaS platforms. CISA's August 2024 advisory on RansomHub (AA24-242A) confirmed that RansomHub "has recently attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV." By that point, RansomHub had hit at least 210 victims across water, IT, government, healthcare, and emergency services.

The ALPHV/BlackCat operation itself looks like it's ended, but the affiliates, the expertise, and the operational model dispersed into new platforms. The infrastructure changed but the threat carried on unchanged.

The financial cost

UnitedHealth Group's SEC filings quantify the direct financial impact:

• Q1 2024: USD 872 million in unfavourable cyberattack effects, including USD 340 million in medical costs related to the temporary suspension of care management activities
• Full year 2024: USD 2.223 billion in direct cyberattack response costs
• Over USD 9 billion in advance funding and interest-free loans provided to care providers affected by the disruption

The USD 22 million ransom payment is a footnote against these figures. The ransom was approximately 1% of the total direct response costs. The real cost was the disruption itself: notifying roughly 190 million people, running the investigation, fixing the damage, and dealing with the ongoing legal and regulatory fallout.

UnitedHealth Group reported full-year 2024 earnings from operations of USD 32.3 billion. The company's large enough to absorb a USD 2.2 billion incident. Many of the healthcare providers that depended on Change Healthcare's systems weren't.

---

Related articles

• The MOVEit Breach: How SQL Injection Gave Cl0p Access to 2,773 Organisations Without Deploying Ransomware
• The Colonial Pipeline Attack: How DarkSide Shut Down US Fuel Distribution
• The WannaCry Ransomware Attack: How a Kill Switch Stopped a Global Worm
• The HSE Ireland Conti Attack: How Ransomware Took Down a National Health Service
• The Qilin Ransomware Attack on the NHS: What Happened at Synnovis

netsec-canary-ecabbd1547f1.