Cyber-attack Timeline: Change Healthcare

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

Change Healthcare Summary Change-Healthcare-Timeline_400

Download Our Educational Cyber-Attack Timeline: Change Healthcare Ransomware Attack

There are ransomware attacks and then there are thick plots that contain overwhelming lessons & unprecedented events. This Ransomware Attack timeline is one of them. Change Healthcare was hacked in February and since then has been embroiled in a string of news-worthy incidents. 

Ransom demands have been met, disgruntled ransomware affiliates have emerged as have new hacking groups threatening to leak data. This attack timeline contains resounding lessons on how Cyber Incident Response must be handled and why rehearsing for the worst case scenario with Cyber Crisis Tabletop Exercises is so essential. This is a ransomware attack timeline you simply cannot miss!

Don't forget to read our blog on the Change Healthcare Ransomware Attack.

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Change Healthcare attack document and timeline.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

Change Healthcare Cyber Attack FAQs

  • 1. What happened in the Change Healthcare cyber attack?

    On 21 February 2024, Change Healthcare — a US healthcare technology and payments company owned by UnitedHealth Group’s Optum — was hit by a ransomware attack that forced it to disconnect its systems. Because Change Healthcare processes a large share of US medical claims, prescriptions and payments, the outage cascaded across pharmacies, hospitals and providers nationwide, leaving many unable to fill prescriptions, submit insurance claims or collect payments for weeks. It is widely regarded as one of the most disruptive cyber attacks ever to hit the US healthcare system.

  • 2. When did the Change Healthcare cyber attack take place?

    Change Healthcare first disclosed the network interruption on 21 February 2024 and disconnected its systems the same day. UnitedHealth Group confirmed the attack in an SEC filing on 22 February. Services were restored in phases through March 2024 — electronic prescribing around 7 March, the payments platform around 15 March and medical claims from around 18 March — while the wider fallout, including regulatory investigations and a second data-leak threat, continued into April 2024 and beyond.

  • 3. What is Change Healthcare and who owns it?

    Change Healthcare is a US healthcare technology company headquartered in Nashville, Tennessee, that handles analytics, data exchange and payment processing connecting providers, payers and patients. Its network reaches a vast portion of the US health system — hundreds of thousands of physicians, tens of thousands of pharmacies and thousands of hospitals. It is owned by UnitedHealth Group, which acquired it through its Optum / OptumInsight unit in a deal valued at around $13 billion, completed in October 2022.

  • 4. Who was behind the Change Healthcare cyber attack?

    Change Healthcare confirmed the attack was carried out by a cybercrime group that identified itself as ALPHV, also known as BlackCat — a ransomware-as-a-service operation. An early SEC filing had described the attackers as suspected ‘nation-state’ hackers, but the attribution settled on ALPHV/BlackCat. Later, a second extortion gang calling itself RansomHub also claimed to hold stolen Change Healthcare data, in an apparent double-extortion follow-on.

  • 5. Did Change Healthcare pay a ransom?

    Yes. Change Healthcare later confirmed that a ransom was paid, saying it did so to protect patient data from disclosure. Blockchain researchers had earlier traced a payment of around 350 bitcoins — roughly $22 million at the time — to a wallet linked to ALPHV/BlackCat, after an affiliate publicly complained the gang had cheated them out of their share. UK and US authorities generally discourage ransom payments, as they fund further attacks and do not guarantee data is protected, as the later RansomHub extortion attempt illustrated.

  • 6. How much data was stolen in the Change Healthcare breach?

    The full scale was still being assessed at the time of reporting, but it was substantial. An ALPHV affiliate claimed around 6 TB of sensitive data had been taken, and UnitedHealth Group warned that files containing protected health information (PHI) or personally identifiable information (PII) could cover a ‘substantial proportion of people in America’. The company said it had not, at that point, seen evidence that full medical histories or doctors’ charts were among the exfiltrated data.

  • 7. What was the impact on pharmacies, patients and providers?

    The disruption was felt nationwide. Pharmacies — including major chains such as CVS, and all US military pharmacies served by Tricare — could not process insurance claims or discount cards, and many had to fill prescriptions manually or take cash. Hospitals and doctors could not collect payments, and many patients were left paying out of pocket, unable to use coupons, or unable to get refills at all. Because most patients did not know their claims ran through Change Healthcare, many only discovered the impact when something failed.

  • 8. How did the attack affect prescriptions and claims processing?

    Change Healthcare sits between providers, pharmacies and insurers to determine coverage and process payments, so taking it offline broke that chain. Prescriptions could not be billed to insurance, claims could not be submitted or paid, and discount programmes stopped working. United Health deployed workarounds and reimbursement assurances, and at one stage reported that around 90% of claims were flowing through temporary solutions while full restoration continued.

  • 9. How long did the disruption last and how did recovery progress?

    Acute pharmacy disruption ran for around ten days before key services began coming back. UnitedHealth restored electronic prescribing around 7 March 2024, the electronic payments platform around 15 March, and began re-establishing medical claims connectivity from around 18 March, with restoration continuing in phases. The company said full recovery of the medical-claims network would take longer than the pharmacy network, and advanced more than $2 billion to providers whose finances were disrupted.

  • 10. What was the RansomHub double-extortion threat?

    In April 2024, after the ALPHV ransom episode, a second gang calling itself RansomHub published files on its dark web leak site said to contain patients’ billing, insurance and medical information, plus contracts between Change Healthcare and its partners. RansomHub threatened to sell the data unless it was paid — a classic double-extortion follow-on that underlined a key risk of paying ransoms: doing so does not guarantee stolen data is actually destroyed.

  • 11. How did Change Healthcare, UnitedHealth and the government respond?

    Change Healthcare disconnected systems, engaged law enforcement and the consultancies Mandiant and Palo Alto Networks, deployed workarounds and provided over $2 billion in provider funding. The American Hospital Association advised members to disconnect from Optum, and some health systems blocked UnitedHealth domains as a precaution. The US Department of Health and Human Services’ Office for Civil Rights opened a HIPAA investigation, CISA and lawmakers pressed UnitedHealth over transparency, and dozens of class-action lawsuits were consolidated in a federal court in Tennessee.

  • 12. What can organisations learn from the Change Healthcare attack?

    The Change Healthcare incident shows how the compromise of one deeply embedded provider can paralyse an entire sector and threaten patient safety far beyond data loss. The key lessons are the importance of mapping single points of failure and third-party concentration risk, maintaining tested incident response plans and manual fallback processes, and weighing the real limits of ransom payments — which did not prevent a second extortion attempt here. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.