Change Healthcare Ransomware Attack
February 2024
Executive Summary
ALPHV/BlackCat ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary processing approximately one-third of all US healthcare claims. The attack disrupted prescription processing, insurance claims, and revenue cycles across the US healthcare system for weeks, affecting hospitals, pharmacies, and patients nationwide. UnitedHealth reportedly paid a $22M ransom.
Why This Matters
Change Healthcare demonstrated that a single ransomware attack on a dominant healthcare intermediary can cascade into a national healthcare crisis, making the case for treating healthcare claims infrastructure as critical national infrastructure.
Escalation Profile
7-Dimension Profile
Escalation Ladder
Phases
Initial access via stolen credentials
Attackers gained access to Change Healthcare systems using compromised credentials for a Citrix remote access portal lacking multi-factor authentication.
Ransomware deployment and system shutdown
ALPHV/BlackCat ransomware encrypted critical systems; Change Healthcare disconnected its entire network, halting claims processing nationwide.
Healthcare system cascading impact
Pharmacies could not process prescriptions; hospitals lost revenue cycle management; small practices faced cash-flow crises threatening viability.
Threshold Crossings
- •Largest disruption to US healthcare infrastructure from a single cyber attack
- •Demonstrated systemic concentration risk in healthcare claims processing
Restraint Factors
- •Financially motivated — no geopolitical or destructive intent beyond extortion
- •Attackers offered decryption for ransom payment
Attribution Assessment
Threat actor mapped to Russia (criminal, possible state nexus) based on infrastructure analysis, malware attribution, and operational patterns.
Evidence: UnitedHealth Group: Change Healthcare Cyber Response Update
- •HHS and CISA emergency coordination and guidance for affected providers
- •Congressional hearings on healthcare cybersecurity and concentration risk
- •UnitedHealth CEO testified before Senate Finance Committee (May 2024)
Sources: CISA: ALPHV BlackCat Advisory Update; Senate Finance Committee: Hearing Testimony on Change Healthcare
No dedicated journalistic sources in dataset. See sources section for full references.
“High Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.
Unpeace Position
Unpeace Score
Composite severity rating on the peace–conflict spectrum
Contributing Dimensions
Coercive Function
Ransomware
Denial of access through encryption — coercive value through economic extortion and operational disruption.
Observed coercive effects
- •Largest disruption to US healthcare infrastructure from a single cyber attack
- •Demonstrated systemic concentration risk in healthcare claims processing
Entanglement Risk
Sectors affected
Countries / regions
Impact summary
Healthcare claims processing disrupted nationwide for weeks; pharmacies, hospitals, and providers affected; $22M ransom reportedly paid.
Infrastructure Meaning
Malware / tooling
Capability profile
Healthcare claims processing disrupted nationwide for weeks; pharmacies, hospitals, and providers affected; $22M ransom reportedly paid.
3 ATT&CK techniques mapped — see ATT&CK mapping below.
Governance Analysis
Governance Flags
Norms invoked
- •Protection of healthcare infrastructure as critical civilian necessity
- •Corporate duty of care for healthcare data and operational resilience
Policy responses
- •HHS and CISA emergency coordination and guidance for affected providers
- •Congressional hearings on healthcare cybersecurity and concentration risk
- •UnitedHealth CEO testified before Senate Finance Committee (May 2024)
Regulatory changes
- •Renewed push for mandatory healthcare cybersecurity standards
- •HHS proposed updates to HIPAA Security Rule with prescriptive controls
- •CMS accelerated payment programs to offset provider cash-flow disruptions
Governance impact assessment
Exposed the systemic fragility of concentrated healthcare infrastructure and accelerated federal momentum toward mandatory cybersecurity standards for healthcare entities handling critical claims processing functions.
Sources
CISA: ALPHV BlackCat Advisory Update
UnitedHealth Group: Change Healthcare Cyber Response Update
Senate Finance Committee: Hearing Testimony on Change Healthcare
Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.
Related Cases
WannaCry
May 2017 · North Korea
WannaCry exposed how a leaked intelligence exploit can cascade into a global healthcare crisis, sharpening the policy debate on vulnerability disclosure and the duty to protect civilian systems.
Colonial Pipeline
May 2021 · Russia (criminal, not directly state-sponsored per US assessment)
Colonial Pipeline proved that criminal ransomware can trigger national-level infrastructure disruptions, collapsing the boundary between cybercrime and national security and forcing mandatory regulation of pipeline cyber defenses.
Costa Rica / Conti
April – May 2022 · Russia (criminal, not directly state-sponsored per public assessments)
Costa Rica showed that ransomware can effectively disable a nation's fiscal and health systems, forcing the first-ever national emergency declaration over a cyber attack and elevating ransomware to a sovereign-level threat.
MGM / Scattered Spider
September 2023 · United States / United Kingdom (individuals; not state-sponsored)
MGM/Caesars showed that social engineering by loosely organized criminal groups can paralyze major enterprises as effectively as sophisticated malware, exposing identity and helpdesk processes as critical policy-relevant attack surfaces.