The ransomware attack on Change Healthcare, a subsidiary of UnitedHealth, has officially become the largest medical data breach in United States history. As of January 2025, the company confirmed that approximately 190 million individuals—more than half the U.S. population—had their sensitive personal and health information compromised. This massive disclosure follows nearly a year of escalating revelations regarding the company’s security failures and the subsequent extortion crisis.
February 2024: The System Collapse
The crisis began on February 21, 2024, when billing and insurance processing systems across the U.S. healthcare sector abruptly went offline. Change Healthcare, which handles roughly half of all health transactions in the country, was forced to shut down its entire network to contain an intruder. Investigators later determined that the initial unauthorized access occurred on or around February 12.
By February 29, UnitedHealth acknowledged that the incident was a ransomware attack orchestrated by the Russian-speaking cybercriminal group ALPHV, also known as BlackCat. The shift from a suspected nation-state attack to a financially motivated ransomware operation signaled a major escalation in the threat to patient privacy.
The $22 Million Ransom and Betrayal
In a controversial move, UnitedHealth paid a $22 million ransom to the attackers in early March. However, the situation deteriorated rapidly when the ALPHV leadership executed an “exit scam,” stealing the ransom payment from their own affiliate and leaving the stolen data in the hands of the secondary hackers. Despite the payment, the data remained compromised.
Escalating Extortion: The RansomHub Incident
The affiliate responsible for the initial breach later formed a new group called RansomHub. They demanded a second ransom, threatening to release the sensitive files—a practice known as “double extortion.” By mid-April, they began publishing proof of the stolen data, which included medical records, diagnoses, and treatment plans.
Security Negligence: A Preventable Disaster
During a Congressional hearing on May 1, 2024, UnitedHealth CEO Andrew Witty admitted that the breach was facilitated by a glaring security oversight: the hackers gained access through a single account that lacked multi-factor authentication (MFA). This revelation sparked outrage, as it confirmed that one of the largest data breaches in history was entirely preventable.
Legal and Regulatory Fallout
By December 2024, the state of Nebraska filed a lawsuit against Change Healthcare, citing “poorly segmented IT systems” that allowed attackers to move freely through the company’s network. The complaint highlighted that the initial entry point was the compromised account of a “low-level customer support employee.”
The company has since been notifying affected individuals via mail and maintains a public notice portal for those who could not be reached directly. The U.S. Department of Health and Human Services continues to monitor the situation as the final scale of the impact becomes clear, with the current estimate of 190 million victims casting a long shadow over the future of healthcare data security.