Change Healthcare: The Largest Healthcare Data Breach in History — 190 Million Records

A Vendor Breach That Disrupted an Entire Industry

On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group's Optum division, was hit by a ransomware attack carried out by the ALPHV/BlackCat ransomware group. Change Healthcare processes approximately 15 billion healthcare claims transactions annually — roughly one-third of all U.S. healthcare claims — making it one of the most critical third-party vendors in the American healthcare system. The attack brought claims processing to a halt nationwide, delayed prescription fulfillment for millions of patients, and ultimately exposed the protected health information of 190 million individuals, making it the largest healthcare data breach in history.

The Attack and Its Immediate Impact

The ALPHV/BlackCat group gained initial access to Change Healthcare's systems through compromised credentials on a Citrix remote access portal that lacked multi-factor authentication (MFA), as UnitedHealth Group CEO Andrew Witty confirmed during Congressional testimony in May 2024. Once inside, the attackers moved laterally through Change Healthcare's network for approximately nine days before deploying the ransomware payload on February 21.

The operational disruption was immediate and far-reaching:

• Claims processing halted. Hospitals, physician practices, and pharmacies across the United States could not submit electronic claims, causing a massive backlog and cash flow crisis for healthcare providers.
• Prescription delays. Pharmacies were unable to process insurance claims for prescriptions, forcing patients to pay out-of-pocket or go without medication.
• Provider payment disruptions. Smaller healthcare providers, many of which operate on thin margins, faced potential insolvency as claims payments stopped. UnitedHealth Group established a temporary financial assistance program, advancing over $6 billion to affected providers.
• Emergency response. The U.S. Department of Health and Human Services (HHS) issued guidance and the AMA called it "the most significant and consequential incident of its kind" against the U.S. healthcare system.

The Ransom and Double Extortion

UnitedHealth Group paid a $22 million ransom to the ALPHV/BlackCat group. However, in a twist that illustrated the unreliability of criminal negotiations, the ALPHV group appeared to execute an "exit scam" — taking the ransom payment and shutting down their infrastructure without fully delivering on their promises. Subsequently, an affiliate group calling itself RansomHub claimed to still possess the stolen data and issued additional extortion demands.

Scale of Data Exposure

In October 2024, UnitedHealth Group updated its breach notification to confirm that approximately 190 million individuals were affected, a dramatic increase from earlier estimates of 100 million. The compromised data included:

Financial Impact

In its SEC filings, UnitedHealth Group reported that the total cost of the Change Healthcare breach exceeded $2 billion through 2024, encompassing incident response, system restoration, provider financial assistance, customer notifications, and enhanced security measures. This figure does not include ongoing litigation costs, regulatory penalties from the HHS Office for Civil Rights (OCR) investigation, or long-term reputational damage.

Third-Party Risk Management Lessons

• Vendor concentration is systemic risk. Change Healthcare's dominance in claims processing meant its failure cascaded across the entire healthcare industry. TPRM programs should map vendor concentration and model the impact of critical vendor failure on business operations.
• Basic controls matter most. The breach was enabled by the absence of MFA on a remote access portal. Vendor security assessments must verify the implementation of foundational controls, not just the existence of policies.
• Business continuity planning must include vendor failure. Most healthcare providers had no contingency plan for Change Healthcare becoming unavailable. Organizations should develop and test business continuity plans that account for the failure of their most critical vendors.
• Ransomware payment does not ensure resolution. The ALPHV exit scam and subsequent RansomHub extortion demonstrate that paying ransoms provides no guarantee. TPRM risk models should not assume ransom payment as a viable mitigation strategy.
• Congressional and regulatory scrutiny follows vendor failures. The Change Healthcare breach triggered Congressional hearings, an HHS OCR investigation, and proposed regulatory changes. Organizations that depend on critical vendors should anticipate regulatory exposure from vendor breaches.

FAIR Quantification of Healthcare Vendor Risk

The Change Healthcare breach is a landmark data point for FAIR risk quantification in the healthcare sector. With $2+ billion in direct costs, 190 million affected individuals, and nationwide operational disruption, it establishes a concrete upper-bound estimate for loss magnitude when a systemically important healthcare vendor is compromised. Organizations using FAIR to quantify vendor risk should use this incident to calibrate their loss magnitude estimates for critical claims-processing and health information exchange vendors.