TP-2024-0002 critical AI Draft B

Change Healthcare Ransomware Attack

Date February 21, 2024
Attack Type Ransomware Sector Healthcare
Geography United States
Threat Actor ALPHV/BlackCat
Attribution A3
Confidence B

Summary

On February 21, 2024, Change Healthcare — a subsidiary of UnitedHealth Group (UHG) and one of the largest healthcare technology companies in the United States — experienced a ransomware attack attributed to the ALPHV/BlackCat ransomware group. Change Healthcare processes approximately 15 billion healthcare transactions annually, representing roughly one-third of all U.S. patient records. The attack caused disruption across the U.S. healthcare system, affecting pharmacies, hospitals, insurers, and provider billing operations for weeks.

UnitedHealth Group disclosed the incident to the U.S. Securities and Exchange Commission on February 21, 2024. In subsequent public updates and Congressional testimony, UHG confirmed that threat actors accessed Change Healthcare’s systems through a compromised Citrix remote access portal that lacked multi-factor authentication. Approximately 6 TB of data was exfiltrated before ransomware was deployed. UHG’s 2024 annual report confirmed the total number of individuals impacted was approximately 190 million, making this the largest healthcare data breach notification event in U.S. history.

The ALPHV/BlackCat ransomware group claimed responsibility for the attack, which aligns with CISA and HHS advisories documenting the group’s pattern of targeting the healthcare sector. UHG provided over $6 billion in accelerated payments and interest-free loans to affected healthcare providers to offset cash flow disruption during the outage period.

Technical Analysis

The attacker gained initial access through Change Healthcare’s Citrix remote access infrastructure using compromised employee credentials. UHG CEO Andrew Witty testified before Congress that the Citrix portal used to gain initial entry was not protected by multi-factor authentication (MFA). This control gap allowed the attacker to authenticate as a legitimate user and establish a foothold within Change Healthcare’s environment.

Following initial access, the attacker conducted reconnaissance and lateral movement over an undisclosed period before deploying ransomware. ALPHV/BlackCat is a ransomware-as-a-service (RaaS) operation whose affiliates use a Rust-based ransomware payload capable of targeting Windows, Linux, and VMware ESXi systems. The group employs double-extortion tactics, exfiltrating data prior to encryption to create additional leverage for ransom demands.

Approximately 6 TB of data was exfiltrated from Change Healthcare systems. The data contained protected health information (PHI), personally identifiable information (PII), and financial records belonging to patients, providers, and insurers. Following data exfiltration, ransomware was deployed to encrypt systems supporting Change Healthcare’s transaction processing infrastructure, causing the loss of connectivity between Change Healthcare and approximately 67,000 pharmacies, hospitals, and other provider systems.

The CISA advisory AA23-353A, published in December 2023 before this incident, documented ALPHV/BlackCat’s pattern of targeting healthcare sector organizations and the technical indicators associated with the group’s tooling.

Attack Chain

Stage 1: Credential Compromise

The attacker obtained valid credentials for a Change Healthcare employee account. The specific credential compromise method has not been publicly confirmed; however, the credentials were used to authenticate to Change Healthcare’s Citrix remote access portal, which processed remote workforce connections.

Stage 2: Initial Access via Citrix Portal

Using the compromised credentials, the attacker authenticated to Change Healthcare’s Citrix environment. The portal lacked multi-factor authentication, enabling the attacker to gain access without a second verification factor. This provided an authenticated session within the Change Healthcare network perimeter.

Stage 3: Reconnaissance and Lateral Movement

After establishing the initial foothold, the attacker conducted internal reconnaissance to identify high-value systems, data repositories, and the transaction processing infrastructure. The attacker moved laterally through the environment, escalating access to systems containing protected health information and financial data.

Stage 4: Data Exfiltration

Prior to ransomware deployment, the attacker exfiltrated approximately 6 TB of data. Exfiltrated records included protected health information, claims data, patient and provider personal information, and financial records. This exfiltration established the basis for the group’s double-extortion demands.

Stage 5: Ransomware Deployment

The attacker deployed ALPHV/BlackCat ransomware across Change Healthcare’s environment, encrypting systems that supported healthcare transaction processing, claims adjudication, pharmacy connectivity, and prior authorization workflows. The encryption caused an outage affecting interconnected healthcare organizations across the United States.

Impact Assessment

The operational impact of the attack extended across the U.S. healthcare sector for weeks following February 21, 2024. Approximately 67,000 pharmacies reported disruptions to prescription processing and insurance verification. Hospitals and provider practices lost access to electronic claims submission, prior authorization, and eligibility verification systems. Revenue cycle operations for healthcare providers were disrupted, leading to cash flow shortfalls.

UnitedHealth Group reported providing over $6 billion in accelerated payments and no-interest loans to affected healthcare providers to address the financial disruption caused by the outage. The company also disclosed costs exceeding $870 million attributed to the cyberattack as of mid-2024 SEC filings, with full recovery costs expected to exceed $1 billion.

UHG’s 2024 annual report confirmed the total number of individuals impacted was approximately 190 million, the largest HIPAA breach notification event in U.S. history. The affected data included: names, addresses, dates of birth, phone numbers, Social Security numbers, driver’s license and state ID numbers, passport numbers, health insurance member IDs, medical record numbers, diagnoses, medication information, and financial and banking information for a subset of individuals.

The HHS Office for Civil Rights opened an investigation into UHG’s HIPAA compliance and issued specific guidance clarifying that Change Healthcare — as a business associate — bore primary responsibility for breach notification to affected covered entities and, in some cases, directly to affected individuals.

Attribution

ALPHV/BlackCat, a ransomware-as-a-service operation, claimed responsibility for the attack on its data leak site. The group stated it had exfiltrated 6 TB of data including PHI and financial records. CISA advisory AA23-353A, published in December 2023, documented ALPHV/BlackCat’s targeting of healthcare sector organizations and the technical indicators associated with the group.

UHG CEO Andrew Witty confirmed before Congress in May 2024 that the ransomware group responsible was identified as ALPHV/BlackCat. UHG did not publicly dispute the group’s claim of responsibility. The attribution is consistent with law enforcement assessments of ALPHV/BlackCat’s operations during this period, though no government attribution statement specific to the Change Healthcare incident has been independently published by CISA or the FBI.

Timeline

2024-02-21 — Ransomware Deployment and Initial Disclosure

Change Healthcare systems are encrypted following attacker access. UHG files an 8-K with the SEC disclosing a cybersecurity incident. Change Healthcare begins disconnecting systems to contain the spread.

2024-02-21 — Healthcare Sector Disruption Begins

Approximately 67,000 pharmacies and thousands of provider organizations begin reporting loss of connectivity to Change Healthcare’s transaction processing services, affecting prescription fulfillment, claims, and eligibility verification.

2024-03-07 — UHG March Update

UHG publishes an update confirming ongoing remediation, the restoration of some pharmacy systems, and the initiation of financial assistance programs for affected providers totaling $3.3 billion in accelerated payments at that time.

2024-04-19 — HHS OCR Guidance Published

The U.S. Department of Health and Human Services Office for Civil Rights publishes a bulletin clarifying HIPAA breach notification obligations for covered entities and business associates affected by the Change Healthcare incident.

2024-04-22 — UHG April Update

UHG publishes an April update confirming that protected health information was compromised and that the company was working to notify affected individuals and entities. The company states that the Citrix portal lacked MFA and that an attacker used compromised credentials for initial access.

2024-05-01 — Congressional Testimony

UHG CEO Andrew Witty testifies before the U.S. Senate Finance Committee and House Energy and Commerce Committee, confirming that the Citrix portal used for initial access lacked multi-factor authentication and that the company paid a ransom demand.

2025-02-27 — Impacted Population Confirmed

UHG’s 2024 annual report, filed with the SEC, confirms the total number of individuals impacted by the Change Healthcare cyberattack was approximately 190 million, the largest HIPAA breach notification event in U.S. history.

Remediation & Mitigation

UHG disconnected Change Healthcare systems following detection to contain the ransomware deployment. Restoration of pharmacy connectivity and claims processing was conducted over a period of weeks, with some services restored in phases beginning in early March 2024. Full system restoration across all Change Healthcare services extended through late spring 2024.

The core control failure identified in public disclosures was the absence of multi-factor authentication on the Citrix remote access portal. Healthcare organizations should enforce MFA on all remote access infrastructure, including VPN and virtual desktop environments. The CISA advisory AA23-353A provides specific ALPHV/BlackCat indicators of compromise and recommended mitigations that apply to healthcare sector organizations.

HHS OCR and CISA have each recommended the following controls to reduce exposure to similar attacks:

  • Enforce MFA on all remote access systems and administrative consoles.
  • Implement network segmentation to limit lateral movement between clinical, administrative, and financial systems.
  • Apply the principle of least privilege to service accounts and administrator credentials.
  • Maintain offline and tested backups of critical data and systems.
  • Conduct regular vulnerability assessments of internet-facing systems and remote access infrastructure.
  • Establish and test incident response and business continuity plans that account for third-party healthcare IT dependencies.

Organizations that rely on healthcare clearinghouses or transaction processors should assess their vendor concentration risk and establish contingency procedures that do not depend on single points of failure in their revenue cycle operations.

Sources & References

ransomwarehealthcarealphvblackcatdata-breachhipaapharmacy