How the ransomware attack at Change Healthcare went down: A timeline

The ransomware attack on Change Healthcare, a health tech subsidiary of UnitedHealth, marks a significant event in the realm of cybersecurity, being one of the largest data breaches of U.S. health data to date. Initial reports surfaced in February 2024, revealing widespread outages and disruptions across various healthcare services as Change Healthcare’s systems failed. The company, responsible for processing a substantial portion of the U.S. healthcare transactions, initiated a shutdown of its entire network after identifying intruders within their systems around February 12. This led to immediate chaos within the healthcare sector, affecting billing systems, pharmacy services, and insurance claims across the country.

On February 29, UnitedHealth identified the cyber attackers as the ALPHV/BlackCat ransomware gang, refocusing the narrative from potential government-sponsored actions to criminal motivations, wherein financial gain drives the attackers. This marked a shift in the understanding of the breach, escalating concerns regarding the security of sensitive medical and personal data. The gang claimed responsibility on a dark web site, asserting the theft of millions of individuals’ health records.

By early March, UnitedHealth had reportedly paid a ransom of $22 million to the hackers. However, complications ensued as ALPHV appeared to disappear following the payment, and an associated affiliate claimed to have retained the stolen data, leveraging the situation for further extortion threats. As the breach continued to evolve, officials from Change Healthcare and UnitedHealth grappled with the aftermath, including ongoing disruptions in service for patients reliant on pharmacy and insurance processing systems.

Despite Change Healthcare obtaining a “safe” copy of the data on March 13, efforts to assess and notify affected individuals were hampered by the sheer scale of the breach. By March 28, the U.S. government responded by increasing its bounty for information regarding the ransomware gang, signalling urgent concerns about the potential for the published data to harm affected individuals. As the situation progressed, disillusionment grew within the healthcare community over the effectiveness of communication from UnitedHealth regarding the crisis, evidenced by mounting complaints from medical practitioners and associations.

The severity of the incident became more apparent with UnitedHealth’s April update confirming sensitive health data had, in fact, been compromised, affecting a “substantial proportion of people in America.” The breadth of the data breach was indicated to reach over 100 million citizens, encompassing a wide array of confidential information, including medical histories and treatment plans.

By May, the chief executive of UnitedHealth disclosed that basic cybersecurity measures were neglected, identifying a lack of multi-factor authentication as a primary vulnerability exploited by the attackers. This admission underscored the preventable nature of the breach and the critical need for heightened security protocols within the healthcare sector to safeguard patient data.

As June approached, Change Healthcare began the legal obligation of notifying affected individuals about the breach, although they faced challenges due to the extensive dataset involved. Law enforcement interventions suggested an effort to streamline notification processes, especially for smaller healthcare providers overwhelmed by the situation.

In late July, formal notifications began, with Change Healthcare informing individuals about the specific data stolen, although individual discrepancies in the details were anticipated. By October, official confirmation arrived with reports indicating that at least 100 million individuals had been impacted, marking a historic event in terms of digital theft within the U.S. healthcare system.

The entire episode highlighted various vulnerabilities and operational weaknesses in data security practices in the healthcare sector, raising alarms about the potential ramifications for affected individuals. As the fallout continued to develop, the implications of the breach extended beyond immediate concerns for patient privacy, potentially leading to incremental regulatory changes and a reevaluation of cybersecurity strategies across the industry. This incident serves both as a stark reminder and a critical call to action for enhanced preventive measures against future cyber threats in healthcare.