Earlier this year, a massive ransomware attack targeted Change Healthcare, a health tech company owned by UnitedHealth, marking one of the largest breaches of medical data in U.S. history. Months later, a significant number of Americans are receiving notifications that their personal and medical information was compromised in the cyberattack.
Change Healthcare handles billing and insurance processing for hundreds of thousands of hospitals, pharmacies, and medical practices across the United States, making it one of the largest processors of sensitive patient data in the country. Following a series of mergers and acquisitions, the company now manages a substantial portion of U.S. health transactions.
Here’s a timeline of events surrounding the ransomware attack.
**February 21, 2024: Initial Outages and Security Incident**
On February 21, an unexpected outage disrupted billing systems and insurance claim processing across healthcare practices. Change Healthcare’s status page was flooded with notifications about widespread outages, later attributed to a “cybersecurity issue.” The company quickly invoked security protocols and shut down its entire network to isolate the intruders, leading to extensive disruptions across the U.S. healthcare sector. It was later discovered that the hackers had infiltrated the system over a week earlier, around February 12.
**February 29, 2024: Ransomware Attack Confirmed**
UnitedHealth initially suspected a state-sponsored attack but later confirmed on February 29 that a ransomware gang was responsible. The cybercriminals, identifying themselves as ALPHV/BlackCat, claimed to have stolen sensitive health and patient information from millions of Americans.
**March 3-5, 2024: Ransom Paid, Hackers Disappear**
In early March, UnitedHealth paid a $22 million ransom to the hackers. Shortly after, the ALPHV ransomware gang disappeared, with their dark web leak site replaced by a seizure notice. However, authorities denied taking down the gang, leading to speculation that the cybercriminals had vanished with the ransom, leaving the stolen data behind.
**March 13, 2024: Continued Disruptions Across Healthcare**
Weeks into the attack, disruptions persisted, affecting military pharmacies and other healthcare providers. Change Healthcare finally received a “safe” copy of the stolen data on March 13, allowing the company to begin identifying and notifying affected individuals.
**April 15, 2024: New Ransom Demands**
By mid-April, a disgruntled affiliate of the original hackers formed a new ransomware group called RansomHub and demanded another ransom from UnitedHealth. They published a portion of the stolen data as proof of their threat.
**April 22, 2024: Confirmation of Massive Data Breach**
On April 22, UnitedHealth confirmed that a “substantial proportion of people in America” were affected by the data breach, which included highly sensitive information such as medical records, diagnoses, and personal data.
**June 20, 2024: Notification of Affected Individuals**
Change Healthcare began the process of notifying affected individuals on June 20, a task complicated by the vast amount of stolen data. The U.S. Department of Health and Human Services also stepped in to assist smaller healthcare providers impacted by the breach.
**July 29, 2024: Letters Sent to Affected Individuals**
By late July, Change Healthcare started sending letters to those whose data was compromised, detailing the types of information stolen, including medical, insurance, and financial data.
