Tortoise Icon

SandBoxed

Vol. 2 WEDNESDAY, 23 JULY 2025

$22 Million Paid, 100 Million Exposed: The Change Healthcare Cyber Crisis

A Breach of Trust and Infrastructure: The Cybersecurity Failures Behind the Change Healthcare Attack

Healthcare organizations are among the most fundamental entities that provide essential services while safeguarding vast amounts of sensitive patient information, and yet they are the prime targets of cyberattacks.

In 2024, Change Healthcare — one of the largest healthcare transaction management companies in the U.S. and a subsidiary of UnitedHealth Group — suffered a devastating ransomware attack conducted by a Russian RaaS (Ransomware as a Service) group called ALPHV/BlackCat, resulting in the breach of sensitive patient data, including Protected Health Information (PHI), Social Security Numbers (SSNs), and other personally identifiable information (PII). Attackers took advantage of weak security practices, such as the lack of MFA (Multi-Factor Authentication), which contributed to losses exceeding $1 billion for UnitedHealth.

To elaborate, the malicious actors were initially able to obtain valid login credentials (either through phishing, purchase on the dark web, or info-stealer malware), which then gave them access to Change Healthcare’s Citrix remote access portal — an interface that allows “authorized” users to access a company’s internal systems and files from a remote location. This was possible due to the absence of MFA, and no security alerts were triggered when the attackers gained access. Once inside, the attackers spent 9 days moving through the network undetected while exploring systems, gaining higher access and exploiting the lack of network segmentation (network segmentation is the practice of dividing a system into smaller, isolated segments to limit potential damage from security breaches). Furthermore, the hackers exfiltrated terabytes of sensitive data such as medical diagnoses, payment and insurance data, and government-issued IDs, abusing the absence of real-time Data Loss Prevention (DLP) systems.

Finally, on February 21, the attackers encrypted critical systems and demanded a ransom of $22 million in Bitcoin, which was provided by UnitedHealth. However, the sensitive data was later observed to have been leaked on the dark web, which ALPHV affiliates claimed was because they hadn’t been paid. Sadly, around 100 million individuals were affected, and it’s a shame that such big organizations have failed to recognize the fact that even the smallest crack can collapse the strongest wall.

From Prescriptions to Profits: How One Ransomware Attack Disrupted an Entire Healthcare Economy

6TB of personal data — stolen in a matter of days.

The 2024 Change Healthcare ransomware attack was like no other. Its repercussions were severe—both financially and reputationally—for one of the most critical players in the U.S. healthcare infrastructure.

Change Healthcare reportedly paid a $22 million ransom to the ALPHV/BlackCat ransomware group. Its parent company, UnitedHealth Group (UHG), later disclosed $872 million in losses tied to the attack and claims to have disbursed over $2 billion in aid to affected healthcare providers. The impact rippled across the healthcare sector, causing mass disruptions in billing, insurance verification, and prescription services.

Due to fears of data exposure, many institutions resorted to pen-and-paper workflows. Lawsuits were filed, trust was broken, and operational chaos ensued. Revenue pipelines for hospitals and pharmacies were choked, not just because of technical failure—but because of sheer paranoia.

Nearly all pharmacies connected to Change Healthcare—around 33,000 across the U.S.—experienced shutdowns or delays in insurance verification. With backend systems disabled, prescription bottlenecks became the norm, and surgical procedures were postponed. Insurance claims couldn’t be processed. Eligibility couldn’t be confirmed. Patients were left to pay out-of-pocket, wait indefinitely, or go untreated.

Reputationally, UHG was shaken. Its executives stood powerless, with financial compensation as their only card to play. But how do you compensate for lost trust? UHG’s stock dipped notably towards the end of the FY (late February to March 2024), and the entire healthcare sector was forced to reckon with its digital fragility. Even industry giants were now under pressure to fortify cyber risk management and business continuity planning.

As the world races toward digital transformation, the healthcare sector is no exception. But are we truly moving forward if the systems designed to protect life can be taken down in a matter of days?

This attack wasn’t just a warning for Change Healthcare—or even just for healthcare. It was a wake-up call for entire economies.

Decode the Phrase

Fdhqjh khdowkfduh orvw pruh wkdq gdwd—lw zdv wuxoob d fubswlf dwwdfn.
(Hint: Shift each letter back by 3)

Answer: Change healthcare lost more than data—it was truly a cryptic attack.

The SandBoxed Cartoon

Comic Frame 1 Comic Frame 2 Comic Frame 3 Comic Frame 4