The February 2024 ransomware attack on Change Healthcare represents the largest and most disruptive data breach in United States healthcare history, affecting an estimated 192.7 million individuals and compromising protected health information on a scale that has fundamentally challenged the resilience of the nation’s healthcare infrastructure. On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group and the predominant medical claims clearinghouse handling nearly 40 percent of all healthcare claims in the United States, detected a ransomware attack that would trigger a cascade of operational failures, financial devastation across healthcare providers, and widespread exposure of sensitive patient data including names, Social Security numbers, medical records, and financial information. The incident exposed critical vulnerabilities in the cybersecurity posture of a company processing 15 billion healthcare transactions annually and touching one in every three patient records in the country, ultimately forcing a prolonged system shutdown that disrupted healthcare delivery and payment processing nationwide for months. This comprehensive analysis examines the attack’s origins, technical execution, impacts across the healthcare ecosystem, the regulatory response, and the systemic lessons learned from what many have characterized as the most significant and consequential cyberattack on U.S. critical infrastructure to date.
Chronology and Technical Details of the Change Healthcare Attack
The Change Healthcare cyberattack unfolded over an extended timeline that exposed significant detection and response deficiencies within the organization. On February 12, 2024, attackers affiliated with the Russian-speaking ransomware group known as ALPHV or BlackCat gained initial access to Change Healthcare’s systems using compromised credentials for a Citrix remote access portal, which lacked multi-factor authentication—a basic security measure that has become an industry standard for protecting critical infrastructure. These credentials belonged to a low-level customer support employee and were obtained through a phishing campaign or purchased on the dark web, demonstrating how seemingly minor security lapses at the user level can cascade into catastrophic organizational breaches. Rather than immediately detecting this intrusion, Change Healthcare’s security monitoring systems failed to identify the unauthorized access for nine days, allowing the attackers undetected access to navigate laterally through the company’s network, exfiltrate data, and establish persistence mechanisms.
During this nine-day window from February 12 to February 20, 2024, the attackers engaged in what security professionals describe as sophisticated lateral movement through Change Healthcare’s inadequately segmented network architecture. The forensic investigation confirmed that threat actors accessed the systems from February 17 through February 20, 2024, and during this period they not only exfiltrated massive quantities of sensitive data but also created privileged administrative accounts, installed malware, and prepared the ransomware payload for deployment. Specifically, the attackers utilized the compromised Citrix credentials to remotely access the portal and then moved through the network in “more sophisticated ways,” as UnitedHealth Group CEO Andrew Witty acknowledged in testimony before Congress, employing advanced techniques to escalate privileges and access sensitive data repositories.
Change Healthcare’s security and technology teams finally detected the intrusion on February 21, 2024, when the attackers deployed ransomware that encrypted files and encrypted data across critical systems, effectively rendering Change Healthcare’s infrastructure inaccessible. Upon detection of the ransomware deployment, Change Healthcare leadership made the decision to immediately disconnect their entire network from the internet to prevent further spread of the malicious code to other systems and to other organizations connected to their infrastructure. This defensive action, while preventing the malware from spreading beyond Change Healthcare’s environment to other UnitedHealth Group entities, came at an enormous operational cost. By taking all systems offline, Change Healthcare effectively disabled the medical claims processing, payment systems, and pharmacy transactions that thousands of healthcare organizations across the United States depended upon for their daily operations.
The ransomware attack exfiltrated an estimated 4 to 6 terabytes of sensitive data before encryption occurred, representing one of the largest data exfiltration events in healthcare history. The stolen data comprised comprehensive personal health information, including names, dates of birth, Social Security numbers, driver’s license numbers, passport information, medical records containing diagnoses and treatment histories, insurance information, banking and payment card details, and claims and billing data. As UnitedHealth Group CEO Andrew Witty later testified to Congress, the attackers potentially obtained “a substantial proportion of people in America” whose personal and protected health information was compromised, with initial estimates suggesting approximately one-third of the United States population may have been affected.
On February 29, 2024, nine days after the attack was detected, UnitedHealth Group confirmed that the ransomware group ALPHV/BlackCat was responsible for the attack. Change Healthcare received a ransom demand from the attackers, and after negotiations, UnitedHealth Group made the decision to pay $22 million in Bitcoin to the ransomware operators on March 3, 2024. UnitedHealth Group leadership, including CEO Andrew Witty, later acknowledged that they paid the ransom in hopes of ensuring the deletion of stolen data and preventing its publication on the dark web. However, this decision to pay would prove ineffective in securing the promised outcome, as the ransomware group ultimately performed what is known as an “exit scam,” pocketing the ransom payment and disappearing from the dark web without fulfilling its obligation to delete the stolen data.
Root Causes and Critical Security Failures
The root cause analysis of the Change Healthcare breach reveals a constellation of serious cybersecurity deficiencies that individually created vulnerabilities but collectively enabled a devastating attack on critical infrastructure. The most prominent and repeatedly cited failure was the absence of multi-factor authentication on the Citrix remote access portal through which the attackers gained initial access. Multi-factor authentication, which requires users to verify their identity through multiple methods beyond simply entering a username and password, has become recognized as an industry-standard security control for protecting remote access systems to critical infrastructure. The Health Insurance Portability and Accountability Act (HIPAA), which governs data security requirements for healthcare organizations, strongly recommends multi-factor authentication for controlling access to protected health information. UnitedHealth Group CEO Andrew Witty acknowledged in his congressional testimony that this represented a significant oversight, stating: “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. But for some reason, which we continue to investigate, this particular server did not have MFA on it.”
Change Healthcare had been acquired by UnitedHealth Group for $13 billion in late 2022, and the acquisition integrated a company with legacy infrastructure and older technologies into a much larger healthcare conglomerate. Witty acknowledged that UnitedHealth had been working to modernize and upgrade Change Healthcare’s systems since the acquisition, but the critical Citrix portal apparently fell through the cracks in this modernization effort, continuing to operate without the security protections that should have been standard across the organization. This exposure persisted despite the fact that UnitedHealth Group had formal security policies requiring multi-factor authentication on all external-facing systems. The question of how a system required by policy to have MFA never had it enabled highlighted not just a technical oversight but a failure in security governance and oversight within the organization.
Beyond the absence of multi-factor authentication, Change Healthcare’s network architecture exhibited poor segmentation, meaning that once an attacker gained access to one system, the network was inadequately designed to prevent lateral movement to other systems and sensitive data repositories. According to the lawsuit filed by Nebraska Attorney General Mike Hilgers, the cybersecurity failures included “outdated and poorly segmented IT systems that failed to meet basic enterprise security standards.” Change Healthcare continued to rely on 40-year-old technologies for its medical claims and payment processing systems, storing data on vulnerable on-premises servers rather than utilizing modern cloud-based infrastructure with advanced security controls. This legacy technology infrastructure not only lacked modern security features but also created challenges for rapid patching and updates when vulnerabilities were discovered.
An additional critical failure involved the management of backup systems. Change Healthcare maintained data backups for disaster recovery purposes, but these backups were not properly isolated from the primary production network. When the ransomware encrypted files on the primary systems, it also encrypted the backup copies, rendering both inaccessible and defeating one of the primary purposes of maintaining backup systems. A properly configured backup system should be isolated from the main network through air-gapping or separate secure networks that prevent malware from accessing backup data even if it compromises the primary systems. The failure to properly isolate backup systems represented a compounding security failure that significantly increased the impact of the attack.
Furthermore, Change Healthcare and its parent company UnitedHealth Group had inadequate continuous monitoring and threat detection capabilities. The nine-day lag between the initial intrusion on February 12 and its detection on February 21 when ransomware was deployed demonstrated that the company’s security monitoring systems lacked the sensitivity and sophistication needed to detect suspicious lateral movement and data exfiltration activities in real time. More robust security information and event management systems, combined with threat hunting activities, would likely have detected the attackers’ activities much earlier, potentially before any data exfiltration occurred.
Risk management across the organization was also fragmented, with inadequate oversight of third-party integrations and vendors, disconnect between departments responsible for risk management, and insufficient board-level governance oversight of cybersecurity practices. The company’s risk management practices had not identified the dependency on outdated systems with missing security controls, nor had they conducted regular penetration testing and security assessments that would have revealed the absence of multi-factor authentication on critical systems.
Scale and Scope of the Data Breach
The Change Healthcare data breach stands as an unprecedented event in the history of American healthcare by nearly every measure of scale. The company initially reported to the Department of Health and Human Services’ Office for Civil Rights that approximately 500 individuals had been affected—an obvious placeholder estimate made before forensic analysis was complete. As Change Healthcare and UnitedHealth Group conducted extensive data review and forensic analysis to determine the actual scope of the compromise, the estimate grew dramatically. On October 22, 2024, eight months after the breach was detected, Change Healthcare notified the Office for Civil Rights that approximately 100 million individuals had received notifications regarding the breach, representing nearly one-third of the United States population.
Subsequently, in January 2025, UnitedHealth Group increased the estimate to approximately 190 million affected individuals, more than half the U.S. population of approximately 341 million. Most recently, as of July 31, 2025, Change Healthcare notified the Office for Civil Rights that the number had increased to 192.7 million individuals, with the company still conducting ongoing data reviews and notifications. The 192.7 million figure represents an extraordinary scale that makes this breach more than 2.4 times larger than the previous record for healthcare data breaches: the 2015 Anthem Inc. breach affecting 78.8 million individuals. This means that approximately two-thirds of the entire United States population had their protected health information compromised in the Change Healthcare breach.
The nature and sensitivity of the compromised data amplifies the severity of this breach beyond what mere numbers suggest. The stolen data included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, medical record numbers, diagnoses, medications, test results, medical imaging, care and treatment plans, health insurance information including member and group ID numbers, claims and billing information, financial and banking information including payment card numbers, and information about active military personnel. Unlike a breach of credit card numbers where fraud can be limited through account monitoring, a breach of comprehensive healthcare information exposes individuals to medical identity theft, unauthorized medical services in their names, fraudulent insurance claims, blackmail through disclosure of sensitive medical information, and social engineering attacks based on personal details contained in the records.
The scope of affected organizations extends across virtually the entire healthcare delivery system in the United States. Change Healthcare’s systems were used by more than 1.6 million healthcare professionals, 70,000 pharmacies, and 8,000 healthcare facilities. This means that patients who received care from any of these thousands of organizations potentially had their information compromised. Change Healthcare processed approximately 15 billion healthcare transactions annually, touching one in every three patient records in the country and accounting for approximately 40 percent of all medical claims in the United States. As a result of the company’s central role in healthcare infrastructure, the breach cascaded across healthcare providers, health insurers, pharmacy benefit managers, and pharmaceutical companies, affecting not just the records directly stored by Change Healthcare but also the records of its business partners and customers.
Operational Impact and Healthcare Service Disruptions
The operational impact of the Change Healthcare cyberattack was unprecedented in its scope and duration, affecting virtually every hospital, physician practice, pharmacy, and healthcare organization in the United States either directly or indirectly. When Change Healthcare took its systems offline on February 21, 2024, to contain the ransomware attack, the company effectively shut down critical healthcare infrastructure that thousands of organizations depended upon to submit insurance claims, receive payment for services rendered, verify patient insurance eligibility before providing care, process pharmacy prescriptions and benefits, and perform prior authorization reviews for medical procedures and treatments.
Hospitals across the United States experienced immediate disruptions to their ability to process claims and receive payments from insurance companies, creating severe cash flow problems within hours of the attack. According to a survey conducted by the American Hospital Association in March 2024, 74 percent of hospitals reported direct patient care impacts including delays in authorizations for medically necessary care, 94 percent reported financial impacts from the attack, 33 percent reported that the attack disrupted more than half of their revenue, and 60 percent reported requiring two to three months to resume normal operations once Change Healthcare’s full functionality was re-established.
Pharmacies across the country faced immediate challenges in filling prescriptions and determining patient copayments when the system came down. Pharmacists could not determine the correct copay amounts because access to pharmacy benefit information through Change Healthcare was unavailable, forcing them either to estimate copayments or require patients to pay full price for medications and hope for later reimbursement. Many pharmacies reported being unable to fill prescriptions through insurance coverage at all, forcing patients to pay out-of-pocket for essential medications or to forgo needed treatments.
Physician practices, particularly smaller independent practices, faced paralyzing disruptions to their revenue cycles. An American Medical Association survey conducted in late April 2024 found that 80 percent of surveyed practices had lost revenue from unpaid claims, 85 percent had to commit additional staff time and resources to complete manual revenue cycle tasks, and 78 percent had lost revenue from claims they were unable to submit. The survey also documented that 55 percent of surveyed physician practices were using personal funds to cover practice expenses including payroll, rent, and supplies due to the inability to receive insurance payments. For many practices operating on thin margins, the sudden cessation of insurance payments created existential threats to the viability of their practices.
The prolonged nature of the outage exacerbated the impact dramatically. While Change Healthcare brought some critical systems back online in mid-March 2024, approximately one month after the attack, other systems remained unavailable or only partially functional for many additional months. By November 2024, nine months after the initial attack, Change Healthcare announced that its clearinghouse services had been fully restored, but even at that point, systems were not operating at pre-attack capacity, and customers were still experiencing reduced functionality in certain areas.
According to Kodiak Solutions, a revenue cycle data analytics firm, the attack caused the value of claims submitted to drop $6.3 billion for their 1,850 hospital and 250,000 physician clients alone in just the first three weeks after the attack. This figure illustrates the tremendous financial disruption caused by the attack’s impact on normal healthcare transactions across a significant portion of the healthcare delivery system.
Patient care was directly affected by the outages and disruptions caused by the attack. According to the American Hospital Association, the attack endangered patient access to care by disrupting critical clinical and eligibility operations. Patients reported being unable to obtain insurance authorization for necessary medical procedures and surgeries, creating delays in receiving needed care. Some patients reported being unable to contact their healthcare providers or access patient portals to make payments during the outage period. The delays in authorization for medically necessary care during the weeks when Change Healthcare systems were down created real health risks for patients who required timely access to medical treatment.
Some healthcare organizations faced such severe cash flow challenges that they had to make difficult operational decisions. One care home facility in Pennsylvania reportedly closed its doors on March 1, 2024, after employees walked out due to not receiving paychecks because the facility could not access revenue needed to make payroll without being able to process insurance claims through Change Healthcare. This was not an isolated case; many smaller healthcare organizations reported being on the brink of closure due to the financial impact of the extended outage.
The financial assistance program established by UnitedHealth Group, while well-intentioned, was initially inadequate to address the financial crisis facing healthcare providers. Optum, UnitedHealth Group’s health services subsidiary, announced a Temporary Funding Assistance Program on March 1, 2024, to provide emergency loans to affected providers. However, the initial program offered inadequate amounts and included stringent terms that made it inaccessible to many providers. UnitedHealth Group subsequently expanded the program and announced additional financial support measures, eventually providing more than $8.9 billion in temporary financial assistance through loans that were intended to be repaid once normal claims processing resumed.
Financial Consequences and Economic Impact
The financial impact of the Change Healthcare cyberattack on UnitedHealth Group, healthcare providers, and the broader healthcare system has been staggering and continues to accumulate. UnitedHealth Group initially estimated that the attack would cost approximately $1 billion in direct response costs during 2024. As the scope of the business disruption became clearer and the company conducted more thorough cost analysis, UnitedHealth revised its estimate upward. By October 2024, UnitedHealth Group reported that the cyberattack had cost approximately $2.457 billion in total financial impact as of the third quarter of 2024, with the company projecting the full-year 2024 impact would reach approximately $2.87 billion.
The $2.87 billion estimate for UnitedHealth Group’s losses breaks down into several component parts. Direct response costs related to the cyberattack, including forensic investigation, incident response, system restoration, and remediation efforts, totaled approximately $1.7 billion in the first nine months of 2024. Business disruption costs, encompassing lost revenues from reduced claims processing volume and the cost of maintaining standby capabilities to serve customers, totaled approximately $747 million in the first nine months of 2024, with the company projecting these costs would rise to between $350 million and $450 million for the full year. The $22 million ransomware payment made in March 2024 represented a small portion of the total costs, though notably the payment did not prevent data leakage, as the ransomware group performed an exit scam.
Beyond direct costs, UnitedHealth Group faced substantial legal and regulatory liabilities. Class-action lawsuits were filed almost immediately following the attack, with 24 separate lawsuits against Change Healthcare and UnitedHealth Group filed within weeks, alleging negligence, inadequate cybersecurity controls, and breach notification failures. The company requested consolidation of these lawsuits into a multidistrict litigation proceeding in the District of Minnesota, which was granted on June 7, 2024. Legal experts have projected that class-action lawsuits combined with regulatory fines from agencies including the Office for Civil Rights, the Federal Trade Commission, and multiple state agencies could result in total liabilities between $100 million and $200 million in civil settlements and between $50 million and $120 million in regulatory fines.
The impact on healthcare providers and the broader healthcare system extended far beyond UnitedHealth Group’s direct costs. Healthcare providers lost revenue during the extended outage period when they could not submit claims or receive payments for services rendered. The American Medical Association survey data suggested that physician practices collectively lost tens of billions of dollars in unpaid claims during the disruption period. Smaller practices with limited cash reserves were hit particularly hard, with many reporting that they had exhausted cash reserves, taken out loans, or used personal funds from practice owners to meet payroll and other operational expenses.
The temporary financial assistance program established by UnitedHealth Group provided $8.9 billion in emergency loans to healthcare providers. While this assistance was critical to keeping providers afloat during the crisis, it created a new financial obligation. Beginning in 2025, more than a year after the breach, UnitedHealth Group began aggressively pursuing repayment of these loans, despite the fact that many providers still had not fully recovered financially from the attack’s impacts. Some providers reported receiving bills from Optum demanding repayment within five days, creating a new financial crisis for organizations that had been devastated by the original attack’s impact on their revenue cycles. As of October 2024, providers had repaid approximately $3.2 billion of the $8.9 billion borrowed through the emergency assistance program, but many providers continued to struggle with the repayment obligations.
Beyond the direct financial costs to UnitedHealth Group and healthcare providers, the attack caused systemic economic damage to the healthcare industry. Healthcare provider bankruptcies and closures were reported in connection with the attack’s financial impact. Patients experienced increased healthcare costs in some cases due to out-of-pocket payments for prescriptions and other services during the period when insurance benefits could not be verified or processed. The attack also created costs for other healthcare organizations as they worked to implement additional cybersecurity measures and redundancy in their technology infrastructure to reduce dependency on single vendors like Change Healthcare.
The Ransomware Actors and Secondary Extortion
The cyberattack on Change Healthcare was carried out by the ALPHV ransomware group, also known as BlackCat, a Russian-speaking, financially motivated ransomware-as-a-service operation based in a Commonwealth of Independent States country. ALPHV/BlackCat was the first known ransomware group to use the Rust programming language to create malware, which allowed them to create customized ransomware variants that could target multiple operating systems and evade detection by traditional security tools. The group was known for employing triple extortion tactics, meaning they would encrypt victim files to disrupt operations, threaten to publish stolen data if ransom was not paid, and additionally threaten to launch distributed denial-of-service attacks against the victim organization to add additional pressure.
After UnitedHealth Group paid the $22 million ransom on March 3, 2024, the ALPHV leadership engaged in what is known as an “exit scam,” taking the ransom payment but failing to fulfill its obligations to the affiliate who had actually conducted the attack and exfiltrated the data. This exit scam involved the ALPHV leadership disappearing from the dark web and shutting down their operational infrastructure, leaving the affiliate who executed the attack without receiving their promised share of the ransom payment. This created a particularly perverse situation where the victim organization paid $22 million in ransom but did not receive the promised benefit of preventing data leakage, while also leaving the attacker affiliate without payment for their work.
The situation became further complicated when the disgruntled ALPHV affiliate, who had conducted the actual attack but did not receive payment from the ALPHV leadership, took the stolen Change Healthcare data and formed a partnership with an emerging ransomware group called RansomHub. Beginning in April 2024, RansomHub began leaking screenshots from the Change Healthcare data onto its dark web site and demanding additional ransom from UnitedHealth Group and Change Healthcare under threat of selling the data to the highest bidder or publishing it in its entirety. This represented a second extortion attempt against Change Healthcare for the same data that had already been exfiltrated, demonstrating how the failure of the first ransom payment created a situation where the victim organization remained vulnerable to secondary extortion threats.
According to security researchers and analysts, there was considerable speculation about whether RansomHub was actually a rebrand of ALPHV or a separate operation that had recruited disgruntled ALPHV affiliates. The timing of ALPHV’s disappearance and RansomHub’s emergence, combined with RansomHub’s use of a different technical architecture and affiliate payment model, suggested that RansomHub was either a completely new operation or a significant rebrand of the original group. Regardless of the organizational relationship, the emergence of RansomHub as a secondary threat to Change Healthcare’s stolen data underscored the fundamental weakness of paying ransoms: even if the first ransomware group fulfills its obligations and deletes or does not publish data, the data can be obtained by other malicious actors and used for secondary extortion attempts.
Regulatory Investigation and HIPAA Compliance Issues
The Department of Health and Human Services’ Office for Civil Rights initiated an unprecedented proactive investigation into Change Healthcare’s breach on March 13, 2024, just three weeks after the attack was discovered. This rapid initiation of an investigation was highly unusual, as OCR typically initiates investigations of healthcare data breaches several months after the breach is reported to the agency, which can sometimes be years after the actual breach occurs. The accelerated investigation timeline reflected the extraordinary magnitude and national significance of the Change Healthcare breach.
The OCR investigation focused on whether a breach of protected health information occurred and whether Change Healthcare and its parent company UnitedHealth Group were in full compliance with the Health Insurance Portability and Accountability Act security standards prior to the ransomware attack. The investigation would examine whether Change Healthcare had implemented appropriate administrative, physical, and technical safeguards to protect patient data as required by the HIPAA Security Rule. Specific areas of investigation almost certainly include the absence of multi-factor authentication on the Citrix remote access portal, the inadequate segmentation of the network, the failure to properly isolate backup systems, and the failure to detect the intrusion for nine days after it occurred.
As of November 2025, the Office for Civil Rights has not announced any final enforcement actions or findings from its investigation of Change Healthcare, though the timeline is not unusual for a breach of this magnitude and significant penalties remain likely once the investigation concludes. The potential penalties could be substantial, as the Office for Civil Rights has been petitioning Congress to increase the civil monetary penalties available under HIPAA for violations of the Security Rule and other HIPAA regulations.
The breach highlighted systemic issues with healthcare cybersecurity preparedness more broadly. The Office for Civil Rights reported that since 2018, the agency has seen a 100 percent increase in large data breaches affecting healthcare entities and a 264 percent increase in large breaches involving ransomware attacks, demonstrating a troubling trend of increasing cyber threats targeting the healthcare sector. In response to the Change Healthcare breach and the broader trend of healthcare cybersecurity incidents, the OCR proposed an update to the HIPAA Security Rule that would require HIPAA-regulated entities to implement stronger safeguards to protect patient data, including mandatory multi-factor authentication, mandatory incident response planning requirements, and other enhanced security controls.
Impact on Healthcare Provider Practices and Healthcare Access
The impact of the Change Healthcare cyberattack on physician practices and healthcare access, particularly in rural and underserved communities, was profound and, in some cases, devastating. The American Medical Association documented through multiple surveys the ongoing disruption to physician practices months after the attack. Beyond the financial impacts already discussed, the disruption to clinical operations had significant implications for patient care. Prior authorization systems that allow patients to obtain pre-approval from insurance companies for procedures, medications, and treatments were disrupted during the outage period, causing delays in patients receiving necessary care.
Electronic prescribing functionality was disrupted, meaning that physicians could not transmit prescriptions electronically to pharmacies during portions of the outage period, necessitating a return to manual paper prescription processes that are labor-intensive and error-prone. The ability to verify patient insurance eligibility was disrupted, meaning that physicians and other healthcare providers could not confirm whether patients had active insurance coverage before providing care, creating billing and collection uncertainties.
Patients in rural areas and communities served by smaller healthcare providers were disproportionately impacted, as rural hospitals and critical access hospitals often operate with very thin financial margins and limited cash reserves. When revenue from insurance claims suddenly stopped flowing, these organizations faced immediate financial crises that threatened their continued operation. Some rural hospitals reported taking days or weeks longer to resume normal operations compared to larger health systems with greater financial reserves and backup systems.
The American Medical Association also documented the impact on healthcare workforce stability, finding that 55 percent of physician practice owners used personal funds to cover practice expenses during and immediately after the outage period. This created personal financial strain on physicians and practice owners beyond the direct business impacts on their practices. Some physicians reported reducing their office hours to manage expenses, while others considered closing their practices entirely due to the financial devastation caused by the breach and outage.
The prolonged disruption to pharmacy benefit transactions and insurance eligibility verification created access barriers for patients seeking medications and treatments. For individuals without the ability to pay out-of-pocket for prescriptions, the inability to use insurance coverage during the outage period meant going without needed medications. For chronic disease patients dependent on regular medication refills, gaps in medication access during the outage period created genuine health risks.
Data Breach Notification and Affected Individual Response
Change Healthcare’s process for notifying the millions of affected individuals involved in the breach extended over many months, beginning in late July 2024, almost five months after the breach was first discovered on February 21, 2024. Change Healthcare sent notification letters on a rolling basis to affected individuals for whom it could identify contact information, beginning July 29, 2024. The notification process was complicated by the fact that Change Healthcare, as a healthcare clearinghouse, did not always receive the name of the covered entity (healthcare provider or health plan) that had submitted the patient data that was compromised. In such cases, Change Healthcare issued notifications attributing the breach to an “Unidentified Covered Entity.”
The notification letters informed affected individuals of the types of data that had been compromised, including medical data and health insurance information, and offered two years of complimentary credit monitoring and identity theft protection services provided by a company called IDX. Individuals also received guidance on steps they could take to protect themselves from identity theft and fraud, including placing fraud alerts on their credit files, implementing security freezes, monitoring credit reports and medical records for unauthorized activity, and using strong unique passwords with multi-factor authentication on their accounts.
Change Healthcare also established a dedicated call center to provide information to individuals impacted by the breach and answer questions, with the helpline available initially for extended periods. As of 2024, Change Healthcare indicated that the helpline would cease operations on August 26, 2025, after which the final date for enrolling in the complimentary credit monitoring and identity theft protection services would also pass.
Many healthcare providers did not learn until months after the breach that their patients’ information had been compromised. For example, Monument Health in South Dakota was not notified by Change Healthcare until December 16, 2024, nearly 11 months after the breach, that up to 26,000 of its patients had their data stolen in the attack. This delayed notification to healthcare providers created a gap period during which patients could have been vulnerable to fraud or identity theft without being aware of the risk.
Legal Actions and Multidistrict Litigation
Multiple class-action lawsuits were filed almost immediately following the disclosure of the Change Healthcare breach, with individuals and healthcare providers alleging negligence, breach of duty, inadequate cybersecurity controls, failure to implement industry-standard security measures, and failure to provide timely breach notification. Healthcare providers also filed separate lawsuits seeking recovery for lost revenues and expenses incurred as a result of the service disruption caused by the cyberattack.
On June 7, 2024, the United States Judicial Panel on Multidistrict Litigation determined that multiple lawsuits pending in various federal district courts shared common questions of fact and should be consolidated in a single multidistrict litigation proceeding in the United States District Court for the District of Minnesota. The MDL consolidation streamlined the legal proceedings by centralizing pretrial discovery, expert development, and threshold motions practice in a single forum before a single judge, while preserving the option for individual trial remands to the transferor courts if cases were not resolved through settlement.
Change Healthcare filed motions to dismiss certain claims raised in the consolidated lawsuits, arguing that the company should not be subject to personal jurisdiction in Minnesota and that many of the plaintiffs could not demonstrate sufficient connection to the defendant or its operations to support jurisdiction over them. A federal district court judge extended the deadline for Change Healthcare to file additional motions to dismiss through March 2025, indicating that the litigation would continue to develop over the subsequent months.
The legal claims in the MDL proceedings focus on several key legal theories. The primary allegations center on Change Healthcare’s failure to implement and maintain reasonable cybersecurity safeguards to protect sensitive patient data, including the failure to implement multi-factor authentication, the failure to properly segment and protect its network, the failure to properly isolate backup systems, and the failure to conduct regular penetration testing and security audits that would have revealed these vulnerabilities. Secondary allegations focus on the company’s failure to maintain adequate incident detection and response capabilities that allowed the breach to go undetected for nine days. A third category of claims alleges that Change Healthcare failed to provide timely breach notification to affected individuals as required by the Health Insurance Portability and Accountability Act and state consumer protection laws, particularly given that it took nearly five months to begin notifying affected individuals of the breach.
Additional legal filings have come from state attorneys general. Nebraska Attorney General Mike Hilgers filed a lawsuit on December 16, 2024, against Change Healthcare Inc., Optum Inc., and their parent company UnitedHealth Group Incorporated, alleging that cybersecurity failures violated Nebraska’s consumer protection and data security laws. The complaint alleged that at least 575,000 Nebraskans and potentially over a million residents had their data compromised in the breach, and that the company’s failure to implement proper security measures, the inadequate response to the breach, and the delays in notifying consumers of the breach caused significant harm.
System Recovery and Restoration Efforts
The recovery of Change Healthcare’s systems following the ransomware attack has been a lengthy and complex process that extended well beyond the initial system recovery in mid-March 2024. While Change Healthcare brought critical systems partially back online beginning in mid-March 2024, approximately one month after the attack, full restoration of all systems took considerably longer and, in some cases, continues even into November 2025.
On March 15, 2024, Change Healthcare reported that its electronic payments platform had come back online and that more than 99 percent of pre-outage pharmacy claim volume was flowing through its systems. This represented significant progress in restoring critical payment and pharmacy functions that healthcare providers, pharmacies, and patients depended upon. However, other systems remained offline or severely degraded through March and into April 2024.
The recovery process was complicated by the fact that Change Healthcare’s critical systems were based on legacy technology and on-premises infrastructure that was vulnerable to the ransomware and provided limited opportunities for rapid recovery compared to cloud-based systems. The cloud-based systems that Change Healthcare and UnitedHealth Group had been migrating systems to were restored relatively quickly because they were not directly impacted by the ransomware attack on Change Healthcare’s on-premises infrastructure. However, the legacy on-premises data centers housing medical claims and payment processing systems took considerably longer to restore, as they required extensive forensic analysis, malware removal, data integrity verification, and system testing before they could be brought back online safely.
By November 2024, nine months after the initial attack, Change Healthcare announced that its clearinghouse services had been fully restored and were operational, though at the time the company noted that some partial service limitations remained in place for certain specialized functions. However, the recovery was incomplete in terms of returning the company to pre-attack business volumes and customer satisfaction levels. Healthcare providers who had switched to alternative vendors during the extended outage period did not necessarily rush back to Change Healthcare, with many organizations implementing vendor diversification and redundancy strategies to reduce their dependence on a single vendor for critical functions.
UnitedHealth Group reported in its fiscal 2024 third-quarter earnings update that while most of Change Healthcare’s IT systems had been restored, the company was working to win back customers who had switched to alternative vendors during the disruption and to build back the business to pre-attack levels of claims volume and revenues. The company projected that it would take the full year of 2025 and into 2026 to rebuild Change Healthcare’s business to pre-attack levels, with the company expecting that next year’s financial impact would be roughly half of 2024’s impact.
Systemic Implications and Healthcare Infrastructure Vulnerabilities
The Change Healthcare breach exposed critical vulnerabilities in the structure and resilience of the United States healthcare system that extend far beyond the specific cybersecurity failures at Change Healthcare itself. The concentration of healthcare infrastructure through vertical integration and consolidation in health insurance companies has created a system with limited redundancy and high dependency on single vendors for critical functions. Change Healthcare’s role as the dominant medical claims clearinghouse processing nearly 40 percent of all healthcare claims in the United States meant that its failure directly impacted nearly the entire healthcare delivery system across the country.
The American Hospital Association highlighted in its analysis of the attack that the merger of UnitedHealth Group, Change Healthcare, and Optum created a concentration of systemic, mission-critical business and clinical services that effectively became an operational “utility” for the entire health care sector. This concentration of risk meant that a single cybersecurity failure at one company could cascade through the entire healthcare system, affecting hospitals, physician practices, pharmacies, and patients nationwide.
Many Change Healthcare contracts with healthcare providers and health plans included exclusivity clauses that prevented organizations from using competing vendors, increasing the vulnerability of customers to business interruption if Change Healthcare’s services were disrupted. These exclusivity clauses meant that healthcare organizations that depended on Change Healthcare had no automatic means to switch to alternative vendors when Change Healthcare’s systems went offline, severely limiting their ability to adapt and continue operations during the outage. Only after regulatory pressure did Change Healthcare waive its exclusivity clauses to allow customers to work with competing clearinghouses during the recovery period.
The Office for Civil Rights issued a statement noting that most healthcare organizations’ advanced enterprise risk management programs had failed to identify the dependency on Change Healthcare and its technology as a critical risk representing a potential single point of failure for their operations. This highlighted a broader risk management failure across the healthcare sector where organizations had failed to adequately assess and mitigate third-party vendor risks and had failed to build appropriate redundancy and backup capabilities for mission-critical third-party-supplied services.
The change healthcare breach demonstrated the urgent need for healthcare organizations to develop and maintain dynamic, ongoing third-party risk management programs that identify and prioritize risks posed by vendors and service providers, incorporate cybersecurity requirements into vendor contracts, and ensure vendor compliance with industry-standard security practices. The fact that the attack occurred despite HIPAA requirements for safeguards and multi-factor authentication being available through policy highlighted the need for strengthened HIPAA enforcement and audit activities.
The breach also demonstrated the critical importance of resilience, redundancy, and business continuity planning in healthcare. Organizations that had implemented robust business continuity plans, maintained backup payment systems, and had pre-established relationships with alternative vendors were better able to weather the extended outage compared to organizations that depended exclusively on Change Healthcare’s services. The American Hospital Association called for healthcare organizations to map potential impacts from loss of mission-critical services and develop downtime procedures that would allow continued operations during extended service disruptions lasting 30 days or longer.
Legislative and Regulatory Response
The Change Healthcare breach triggered significant legislative and regulatory interest in strengthening cybersecurity requirements and oversight in the healthcare sector. Multiple Congressional committees held hearings where UnitedHealth Group CEO Andrew Witty testified about the attack, the company’s security failures, and the response efforts. Senators and Representatives from both political parties pressed Witty on questions including why a critical system did not have multi-factor authentication enabled despite HIPAA requirements, whether the company’s security infrastructure met industry standards, and what the company would do to prevent similar attacks in the future.
Several senators, including Ron Wyden (D-Oregon) and Mark Warner (D-Virginia), introduced legislation that would require the Department of Health and Human Services to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses, and business associates. The proposed legislation would also remove the existing cap on civil monetary penalties under HIPAA, which has severely limited the financial penalties that regulators could impose for security violations. The low penalty caps under current HIPAA law have been criticized as insufficient to incentivize compliance with security standards and to deter security negligence by large healthcare organizations.
The Office for Civil Rights proposed an update to the HIPAA Security Rule that would require HIPAA-regulated entities to implement stronger safeguards to protect patient data, including mandatory multi-factor authentication, mandatory incident response planning, encryption of all protected health information at rest and in transit, and enhanced continuous monitoring and threat detection capabilities. These proposed rule changes would essentially codify into federal regulation many of the cybersecurity best practices that Change Healthcare had failed to implement.
The Centers for Medicare and Medicaid Services indicated that it would propose new cybersecurity requirements for hospitals as a condition of participation in Medicare and Medicaid programs, with noncompliance potentially resulting in civil monetary penalties or exclusion from these federal healthcare programs. These proposed regulatory changes collectively represent a shift toward stronger federal cybersecurity standards and more rigorous enforcement and oversight of healthcare cybersecurity compliance.
The Lingering Imprint of the Change Healthcare Breach
The Change Healthcare data breach of February 2024 represents the most significant and consequential cyberattack on United States healthcare infrastructure in American history, affecting an estimated 192.7 million individuals, exposing comprehensive personal health information, disrupting healthcare delivery and payment processing across the nation, and imposing direct costs exceeding $2.9 billion on UnitedHealth Group alone. The breach resulted from multiple compounding cybersecurity failures, most prominently the absence of multi-factor authentication on a critical remote access portal, inadequate network segmentation, failure to properly isolate backup systems, insufficient threat detection and incident response capabilities, and inadequate governance oversight of cybersecurity risks.
The operational impact of the breach extended far beyond direct data loss, causing a prolonged system outage that devastated healthcare providers’ revenue cycles, forced many organizations to exhaust financial reserves or take out emergency loans to meet payroll and operational expenses, disrupted patient access to medications and medical procedures through delayed insurance authorizations, and threatened the survival of many smaller healthcare organizations, particularly in rural communities.
The regulatory and legal response to the breach has been substantial, with the Office for Civil Rights conducting an unprecedented proactive investigation, multiple class-action lawsuits being filed and consolidated in multidistrict litigation, state attorneys general filing separate actions, and Congress holding hearings to examine the breach and consider legislative responses. The breach has catalyzed discussions about strengthening federal cybersecurity standards and enforcement in the healthcare sector, removing penalty caps under HIPAA to allow more substantial penalties for security violations, and requiring stronger third-party risk management throughout the healthcare system.
Looking forward, the Change Healthcare breach has created a “before and after” moment for healthcare cybersecurity. Healthcare organizations across the country are reassessing their vendor dependencies, implementing vendor redundancy and diversification strategies to reduce reliance on single vendors for critical functions, and strengthening their cybersecurity infrastructure and incident response capabilities. The breach has demonstrated that healthcare cybersecurity is not merely an information technology concern but a critical matter affecting patient safety, access to care, and the financial viability of healthcare organizations nationwide. The lessons from Change Healthcare will continue to shape healthcare cybersecurity practices, regulatory requirements, and organizational resilience strategies for years to come, serving as a cautionary tale about the consequences of inadequate cybersecurity investment, delayed modernization of critical infrastructure, and insufficient governance oversight of technology risks in mission-critical healthcare organizations.
Protect Your Digital Life with Activate Security
Get 14 powerful security tools in one comprehensive suite. VPN, antivirus, password manager, dark web monitoring, and more.
Get Protected Now
