Decoding the Change Healthcare Cyberattack: Insights into the Attack and a Strategy for Stronger Defense

table of contents


The U.S. healthcare system faced a major ransomware attack targeting Change Healthcare, a critical subsidiary of UnitedHealth Group’s Optum. Occurring in February 2024, the attack disrupted patient care and financial transactions nationwide. This affected medication access and payment delays for over 1.6 million healthcare professionals, 70,000 pharmacies, and 8,000 facilities.  

Who’s Behind the Screen Causing All This Cyber Chaos? 

Cybercrooks in hoodies, a disgruntled employee with a vendetta, or maybe just a bored raccoon with opposable thumbs? Place your bets on who masterminded this cyberattack as we walk through the twisted events! 

Initially claimed by ALPHV/BlackCat, who stole 6TB of patient data and received a $22 million ransom, another group, RansomHub, later emerged demanding additional payment. RansomHub posted a message stating ALPHV stole the entire $22 million ransom payment, and never paid affiliates. The incident highlights healthcare cybersecurity vulnerabilities, with concerns over law enforcement pressures influencing ransomware operations. Reports of dissatisfied affiliates like “Notchy” seeking new alliances emphasize ongoing challenges in ransomware defense, stressing the need for enhanced cybersecurity measures in healthcare.  

Timeline of the Cyber Mayhem 


What Exactly Happened?

In testimony by Andrew Witty, the CEO of UnitedHealth Group confirmed that the cyberattack on Change Healthcare began on the morning of February 21, with threat actors initiating system encryption, thereby locking out organization employees. Witty disclosed that prior to the public-facing attack on February 21, the attackers had infiltrated the company’s network ten days earlier by breaching Change Healthcare’s Citrix portal by remote access on February 12, 2024, using compromised employee credentials. This access, facilitated by the absence of multi-factor authentication (MFA), enabled lateral movement within the network, culminating in data exfiltration and subsequent deployment of ransomware.  

Hudson Rock’s database has uncovered troubling evidence of an employee infected by an Infostealer in February 2024, with Citrix credentials consistent with the incident timeline. The investigation has identified the Citrix URL linked to Change Healthcare as remoteapps[.]changehealthcare[.]com/vpn/index[.]html, although its current functionality is impaired. Alarmingly, this URL was documented in an employee file accessible on Scribd, indicating potential exposure of sensitive information. This revelation underscores the critical need for enhanced cybersecurity measures and vigilant monitoring of corporate networks to prevent lateral movement, mitigate risks of data breaches, and unauthorized access. 


The Impact

A survey conducted by the American Medical Association (AMA) revealed a wide blast radius due to the Change Healthcare cyber incident. The numbers speak for themselves in percentage of surveyed practices affected: 

36% have seen claims payments suspended 

32% have not been able to submit claims

39% have not been able to obtain electronic remittance advice 

77% of respondents said they experienced service disruptions  

80% of providers said they lost revenue from unpaid claims 

78% lost revenue from claims that they have been unable to submit 

55% have used personal funds to cover expenses incurred as a result of the attack 

Per the data breach notification, a substantial cache of sensitive information was compromised, encompassing: 

  • Health insurance details, including primary, secondary, or other health plans/policies, insurance company information, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers. 
  • Health information comprising of medical record numbers, healthcare providers, diagnoses, medications, test results, medical images, care, and treatment 
  • Billing, Claims, and Payment Information specifics regarding healthcare claims, including claim numbers, account identifiers, billing codes, payment card details, financial and banking information, transaction histories, payments processed, and outstanding balances. 
  • Other Personal Information: In addition to the above, Other Personal Information individuals’ Social Security numbers, driver’s licenses or state ID numbers, and passport numbers may also have been compromised. 

How Could This Disaster Have Been Averted? 

As quoted by Witty, “The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”  

The entire cyberattack could have been prevented had measures been in place to halt ‘lateral movement’ within the network and if the organization had been ‘Breach Ready’. ColorTokens Xshield™ could have played a pivotal role in averting such a cyberattack by implementing robust micro-segmentation and Zero Trust principles. This approach would have restricted unauthorized lateral movement between network segments, effectively isolating sensitive systems and data. By doing so, Xshield™ could have hindered the attackers’ ability to freely navigate the network and exfiltrate information once initial access was obtained. Furthermore, the continuous monitoring and policy enforcement capabilities of Xshield™ could have swiftly identified and thwarted suspicious activities, such as unauthorized access attempts and unusual data transfers, before they evolved into a full-scale ransomware incident.  

Ultimately, proactive defense mechanisms of Xshield™ would have greatly reduced the impact of such sophisticated cyberattacks, potentially saving the organization from both ransom payments and reputational damage. Contact us now and embark on a journey towards unparalleled protection and peace of mind.