Change Healthcare 2024: $2.45B, largest healthcare breach in US history.

The intrusion began on 12 February 2024 when ALPHV/BlackCat affiliates obtained valid login credentials for a Change Healthcare Citrix portal. The portal was used by Change Healthcare staff and contractors to access internal systems remotely. Critically, the portal did not require multi-factor authentication. With valid credentials and no MFA, the attacker was able to log in undetected and remain in the environment for nine days, escalating privileges and mapping the network.

On 21 February 2024 the attackers deployed ALPHV/BlackCat ransomware across the Change Healthcare environment, encrypting claims-processing, prescription-routing, and benefits-verification systems. Change Healthcare took the affected systems offline immediately to prevent further damage. The shutdown produced cascade failures across US healthcare: pharmacies could not process insurance claims for prescriptions, hospitals could not verify benefits eligibility, and providers could not submit claims for payment. The shutdown lasted weeks for the most critical systems and months for some less-critical components.

UnitedHealth CEO Andrew Witty testified to House Oversight in May 2024 that the Citrix portal lacked MFA because it had been inherited through an acquisition and had not been migrated to UnitedHealth's standard MFA architecture. Witty acknowledged that the missing MFA was the single decisive failure that allowed the breach. The case has since been cited extensively as the canonical example of why MFA on every remote-access pathway, especially inherited acquisition infrastructure, is non-negotiable.

The headline $2.45B figure was disclosed in UnitedHealth's Q2 2024 release and reaffirmed in subsequent 10-Q and 10-K filings. The figure excludes the OCR HIPAA settlement (still under investigation), class-action settlements (multidistrict litigation pending), and a substantial portion of provider-assistance interim payments that may eventually be recovered. The fully-loaded cost when all components settle is widely expected to exceed $3B.

Change Healthcare paid approximately $22M in Bitcoin to ALPHV/BlackCat in early March 2024 in exchange for a decryption key and a promise to delete the exfiltrated data. TRM Labs blockchain analysis identified the BTC transfer to an ALPHV-associated wallet on 1 March 2024. Change Healthcare received a decryption key and used it to begin restoring affected systems.

What Change Healthcare did not anticipate was that ALPHV's ransomware-as-a-service model splits payment between the "operator" (the core ALPHV group) and the "affiliate" (the contractor who executed the attack). After receiving the $22M, ALPHV pulled an exit scam, retained the full payment, and disappeared. The affiliate did not receive their cut of the payment, did not delete the exfiltrated data, and subsequently attempted a second extortion under the moniker RansomHub, demanding additional payment to prevent data publication.

The Change Healthcare case became the definitive example of why ransom payment does not eliminate breach exposure. UnitedHealth received the decryption key but not the data-non-publication outcome. The data appeared on RansomHub's leak site in April 2024. The episode has shifted ransomware-response advisory practice toward stronger presumption against payment, particularly when the threat actor has a track record of operating through unreliable affiliate networks.

The unusual cost component in the Change Healthcare incident was the provider-financial-assistance programme. With claims processing offline for weeks, independent pharmacies, small medical practices, and rural hospitals lost their revenue stream. Many had insufficient working capital to wait out the restoration. UnitedHealth, under intense political pressure from HHS Secretary Xavier Becerra and from Congressional oversight, agreed to advance interim payments to affected providers to keep them solvent during the outage.

The total of interim payments advanced peaked at approximately $8.9B by Q2 2024. The advances were structured as loans against future claims processing, with recovery beginning once claims processing resumed. UnitedHealth's Q3 2024 disclosure indicated approximately $3B in net provider-assistance cost after expected recoveries. The line item has no real precedent in healthcare-breach response and reflects the unique systemic role of Change Healthcare as a claims-processing chokepoint.

The episode has prompted serious policy discussion of whether claims-processing concentration is itself a national-security risk. Change Healthcare handles approximately 50% of US medical claims through its clearinghouse, a single point of failure for half the country's healthcare payment infrastructure. The HHS Office of Inspector General has launched a study of healthcare-payment systemic risk that is widely expected to recommend regulatory action toward redundancy by 2027.

HHS Office for Civil Rights opened a formal investigation in March 2024. As of mid-2026 the investigation is ongoing and no settlement has been announced. Based on the public facts (missing MFA, nine-day dwell time, 190M record exposure, the scale of operational disruption) and the precedent set by Anthem ($16M for 78.8M records) and Premera ($6.85M for 11M records), industry analysts have estimated the eventual OCR settlement at $50M-$100M, with the upper bound reflecting the unprecedented scale and the missing-MFA root cause.

OCR has also reportedly engaged with Change Healthcare and UnitedHealth on the question of whether Change Healthcare is a covered entity in its own right or a business associate of the affected providers. The distinction matters for the allocation of notification obligations across the 190M affected patients. The complexity has slowed the notification process materially, with not all patients notified by mid-2026. The delay itself may produce additional OCR exposure under HIPAA timely-notification requirements.