In late February 2024, a major cyberattack linked to the ALPHV/BlackCat ransomware group struck Change Healthcare—part of UnitedHealth Group—triggering a system-wide outage that crippled vital infrastructure across the U.S. healthcare sector. The incident, launched on February 21, targeted the claims processing network that handles roughly 15 billion medical transactions annually, making it one of the most disruptive cyberattacks in health technology history.
BlackCat claimed responsibility, alleging the theft of approximately 6 terabytes of sensitive data, including health records, payment details, and personally identifiable information spanning military and civilian sources. In response, Change Healthcare disconnected affected systems, leading to cascading failures: pharmacies stopped dispensing medications electronically, hospitals halted billing processes, and clinics faced cash flow crises as insurance claims went unprocessed.
The disruption cost providers an estimated $100 million daily, jeopardizing operations at thousands of healthcare organizations. A survey by the American Hospital Association found that 94% of hospitals experienced financial damage, with more than half reporting severe losses. Some doctors’ groups faced furloughs, and at least one long-term care center briefly closed due to inability to pay staff.
UnitedHealth initially described the breach as a “nation-state–associated threat,” but later acknowledged it was carried out by cybercriminals, specifically BlackCat. Investigations revealed attackers used stolen Citrix credentials lacking multi-factor authentication (MFA) to introduce themselves into the system as early as February 12, lying dormant before encrypting data on the 21st.
By late February, BlackCat posted Change Healthcare’s name on its leak site, but removed the data after negotiations appeared to begin. In early March, evidence emerged suggesting a $22 million ransom payment by Change Healthcare—a move later confirmed by UnitedHealth during congressional testimony. Wired reported this payment, and Krebs on Security noted that it led to factional discord among ransomware affiliates.
Amid escalating turmoil, UnitedHealth activated its Temporary Funding Assistance Program and committed over $2 billion in advance payments by mid-March to help providers stay afloat. By late April, total advances and loans exceeded $6.5 billion. However, many providers criticized the funding terms as inadequate and even predatory, particularly targeting smaller clinics .
The U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) launched a targeted investigation in mid-March to evaluate potential violations of HIPAA and assess whether protected health information was compromised. Secretary Xavier Becerra emphasized that the scale of the attack was “unprecedented” and affirmed that providers remain obligated to maintain robust data security practices.
At the White House, senior officials convened a crisis meeting with UnitedHealth CEO Andrew Witty and other key industry leaders, pressing for accelerated payments and faster system restoration. Witty later testified before congressional committees, revealing that the attack traced back to basic security failures, such as missing MFA protections, and confirmed the $22 million ransom payment. He also projected the cost of the breach through 2024 at approximately $1.6 billion, excluding fines or additional legal expenses.
Industry experts warn that the attack underscores the urgency of more stringent cybersecurity frameworks within healthcare, particularly given the rise in ransomware and hacking breaches affecting millions of individuals annually.
By April, most core claims and pharmacy systems had been restored, although some functionalities remained offline for weeks. HHS and CMS introduced emergency flexibilities—accelerated Medicare payments, waived prior authorization rules, and extended deadlines—to support providers during the crisis.
This event has sparked calls in Washington for mandatory cybersecurity standards in healthcare. Legislation has been introduced to empower HHS to enforce emergency payment measures during cyber crises . Additionally, federal agencies like the State Department have offered rewards up to $15 million for information on BlackCat leadership.
Hospitals continue to feel the financial strain. AHA surveys revealed daily losses of up to $1 million for 60% of respondents and state-level impacts—such as Massachusetts’ $24 million daily loss estimate. Some providers teetered on closure, with cash reserves exhausted and payroll at risk. Nevertheless, UnitedHealth’s stock has remained relatively stable, and analysts suggest the long-term financial consequences may not be as severe as initially feared .
As systems are fully restored and clean-up continues, the healthcare industry faces a critical reevaluation of cybersecurity hygiene. Mandatory MFA, robust incident response planning, and regulatory reforms are increasingly seen as essential. The Covid-era gains in telehealth and health tech modernization may rest on a fragile foundation unless these systemic vulnerabilities are addressed.
