Educational & easy-to consume visual guides to understanding attacks & enhancing resilience
There are ransomware attacks and then there are thick plots that contain overwhelming lessons & unprecedented events. This Ransomware Attack timeline is one of them. Change Healthcare was hacked in February and since then has been embroiled in a string of news-worthy incidents.
Ransom demands have been met, disgruntled ransomware affiliates have emerged as have new hacking groups threatening to leak data. This attack timeline contains resounding lessons on how Cyber Incident Response must be handled and why rehearsing for the worst case scenario with Cyber Crisis Tabletop Exercises is so essential. This is a ransomware attack timeline you simply cannot miss!
Don't forget to read our blog on the Change Healthcare Ransomware Attack.
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
On 21 February 2024, Change Healthcare — a US healthcare technology and payments company owned by UnitedHealth Group’s Optum — was hit by a ransomware attack that forced it to disconnect its systems. Because Change Healthcare processes a large share of US medical claims, prescriptions and payments, the outage cascaded across pharmacies, hospitals and providers nationwide, leaving many unable to fill prescriptions, submit insurance claims or collect payments for weeks. It is widely regarded as one of the most disruptive cyber attacks ever to hit the US healthcare system.
Change Healthcare first disclosed the network interruption on 21 February 2024 and disconnected its systems the same day. UnitedHealth Group confirmed the attack in an SEC filing on 22 February. Services were restored in phases through March 2024 — electronic prescribing around 7 March, the payments platform around 15 March and medical claims from around 18 March — while the wider fallout, including regulatory investigations and a second data-leak threat, continued into April 2024 and beyond.
Change Healthcare is a US healthcare technology company headquartered in Nashville, Tennessee, that handles analytics, data exchange and payment processing connecting providers, payers and patients. Its network reaches a vast portion of the US health system — hundreds of thousands of physicians, tens of thousands of pharmacies and thousands of hospitals. It is owned by UnitedHealth Group, which acquired it through its Optum / OptumInsight unit in a deal valued at around $13 billion, completed in October 2022.
Change Healthcare confirmed the attack was carried out by a cybercrime group that identified itself as ALPHV, also known as BlackCat — a ransomware-as-a-service operation. An early SEC filing had described the attackers as suspected ‘nation-state’ hackers, but the attribution settled on ALPHV/BlackCat. Later, a second extortion gang calling itself RansomHub also claimed to hold stolen Change Healthcare data, in an apparent double-extortion follow-on.
Yes. Change Healthcare later confirmed that a ransom was paid, saying it did so to protect patient data from disclosure. Blockchain researchers had earlier traced a payment of around 350 bitcoins — roughly $22 million at the time — to a wallet linked to ALPHV/BlackCat, after an affiliate publicly complained the gang had cheated them out of their share. UK and US authorities generally discourage ransom payments, as they fund further attacks and do not guarantee data is protected, as the later RansomHub extortion attempt illustrated.
The full scale was still being assessed at the time of reporting, but it was substantial. An ALPHV affiliate claimed around 6 TB of sensitive data had been taken, and UnitedHealth Group warned that files containing protected health information (PHI) or personally identifiable information (PII) could cover a ‘substantial proportion of people in America’. The company said it had not, at that point, seen evidence that full medical histories or doctors’ charts were among the exfiltrated data.
The disruption was felt nationwide. Pharmacies — including major chains such as CVS, and all US military pharmacies served by Tricare — could not process insurance claims or discount cards, and many had to fill prescriptions manually or take cash. Hospitals and doctors could not collect payments, and many patients were left paying out of pocket, unable to use coupons, or unable to get refills at all. Because most patients did not know their claims ran through Change Healthcare, many only discovered the impact when something failed.
Change Healthcare sits between providers, pharmacies and insurers to determine coverage and process payments, so taking it offline broke that chain. Prescriptions could not be billed to insurance, claims could not be submitted or paid, and discount programmes stopped working. United Health deployed workarounds and reimbursement assurances, and at one stage reported that around 90% of claims were flowing through temporary solutions while full restoration continued.
Acute pharmacy disruption ran for around ten days before key services began coming back. UnitedHealth restored electronic prescribing around 7 March 2024, the electronic payments platform around 15 March, and began re-establishing medical claims connectivity from around 18 March, with restoration continuing in phases. The company said full recovery of the medical-claims network would take longer than the pharmacy network, and advanced more than $2 billion to providers whose finances were disrupted.
In April 2024, after the ALPHV ransom episode, a second gang calling itself RansomHub published files on its dark web leak site said to contain patients’ billing, insurance and medical information, plus contracts between Change Healthcare and its partners. RansomHub threatened to sell the data unless it was paid — a classic double-extortion follow-on that underlined a key risk of paying ransoms: doing so does not guarantee stolen data is actually destroyed.
Change Healthcare disconnected systems, engaged law enforcement and the consultancies Mandiant and Palo Alto Networks, deployed workarounds and provided over $2 billion in provider funding. The American Hospital Association advised members to disconnect from Optum, and some health systems blocked UnitedHealth domains as a precaution. The US Department of Health and Human Services’ Office for Civil Rights opened a HIPAA investigation, CISA and lawmakers pressed UnitedHealth over transparency, and dozens of class-action lawsuits were consolidated in a federal court in Tennessee.
The Change Healthcare incident shows how the compromise of one deeply embedded provider can paralyse an entire sector and threaten patient safety far beyond data loss. The key lessons are the importance of mapping single points of failure and third-party concentration risk, maintaining tested incident response plans and manual fallback processes, and weighing the real limits of ransom payments — which did not prevent a second extortion attempt here. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.
We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.
Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.
A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.
Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.