Change Healthcare Breach 2024: The $872M Ransomware Attack That Crippled American Healthcare

On February 21, 2024, Change Healthcare — a UnitedHealth Group subsidiary that processes approximately 40% of all US healthcare claims — suffered a ransomware attack that took its payment processing infrastructure offline for weeks, disrupting care delivery across hospitals, pharmacies, and physician practices nationwide. The financial impact to UnitedHealth Group exceeded $872 million in the first quarter alone. The human impact — delayed prescriptions, disrupted billing, deferred procedures — was immeasurable. The technical cause was a single Citrix remote access portal without multi-factor authentication.

Change Healthcare is not primarily important as a ransomware event. It is important as a systemic risk event — a demonstration that a single critical infrastructure company can become a single point of failure for an entire healthcare sector, and that the attack surface protecting that infrastructure may be no more sophisticated than a missing MFA configuration.

What Happened

The Initial Access: A Citrix Portal Without MFA

ALPHV/BlackCat ransomware group gained access to Change Healthcare's environment through compromised credentials on a Citrix remote access portal. The portal did not have multi-factor authentication enabled. The credentials were obtained through means not publicly specified but consistent with credential purchase from an initial access broker, password spraying, or phishing. Whatever the credential acquisition method, the absence of MFA meant that valid credentials were sufficient for complete access.

Nine Days of Dwell Time

ALPHV/BlackCat actors spent approximately nine days inside Change Healthcare's network before deploying ransomware. During this period, they conducted reconnaissance, mapped the network architecture, identified and accessed sensitive data repositories, and exfiltrated data before initiating encryption. The nine-day staging period represented nine days during which detection and response could have prevented the ransomware deployment — and did not.

The Encryption and Its Consequences

When the ransomware executed on February 21, it took offline the claims processing infrastructure that connects healthcare providers to insurers across the United States. The downstream effects were immediate and severe. Pharmacies could not process insurance claims in real time, forcing patients to pay out-of-pocket or go without medications. Hospitals could not receive payments from insurers for services rendered. Physician practices had no mechanism to verify patient coverage or submit claims. The disruption affected an estimated 90% of US hospitals and health systems in some form.

The Ransom Payment and Double Extortion

UnitedHealth Group paid ALPHV/BlackCat a reported $22 million ransom. In a remarkable development, ALPHV/BlackCat then exit-scammed their own affiliate who conducted the breach — disappearing with the $22M without providing the affiliate's share. The stolen data was subsequently offered for sale by a different group, RansomHub, which claimed to have obtained 4TB of sensitive patient and business data. UnitedHealth has confirmed that protected health information was included in the exfiltrated data.

The Attack Vector: One Missing MFA Configuration

The Change Healthcare breach began with a Citrix remote access portal that did not have MFA enabled. This is not an exotic technical vulnerability. It is a configuration gap that exists in a meaningful percentage of enterprise environments — VPN portals, remote desktop gateways, legacy application access points, and vendor-managed infrastructure that was provisioned before MFA enforcement became standard.

The specific Citrix product involved — Citrix Netscaler, used for remote access — has been documented as a frequent target for credential-based attacks precisely because Citrix deployments are common in healthcare and other sectors that have been slower to modernize remote access architecture. The combination of a high-value target, a common remote access solution, and a missing MFA configuration created the conditions for one of the most consequential ransomware events in healthcare history.

The nine-day dwell time before encryption represents the detection opportunity that was missed. Modern ransomware groups conducting staged operations generate detectable signals during their reconnaissance, exfiltration, and pre-positioning phases. Behavioral monitoring for anomalous authentication patterns, unusual data access volumes, and suspicious use of administrative tools during those nine days would have provided opportunities to contain the attack before encryption. The absence of those detections allowed nine days of attacker activity to proceed unobserved.

Private Equity Implications

For PE sponsors with healthcare portfolio companies, Change Healthcare represents three specific risk dimensions. Revenue cycle dependency — most healthcare providers rely on one or two clearinghouses for claims processing, and a disruption at any of those clearinghouses interrupts the revenue cycle of every dependent provider. Change Healthcare processed claims for organizations representing millions of patients; when it went offline, their revenue stopped. The second dimension is the regulatory environment created by the breach — HHS has indicated that covered entities are responsible for ensuring their business associates (including clearinghouses) maintain adequate security controls, creating a compliance and due diligence obligation that extends into the supply chain. The third dimension is the specific vulnerability that enabled the breach — remote access without MFA — which is common in healthcare IT environments that have been slower to modernize than financial services or technology sector companies.