Ransomware attack pathway identified by Change Healthcare in latest incident
UnitedHealth Group's Response to AlphV Ransomware Attack on Change Healthcare
UnitedHealth Group, the parent company of Change Healthcare, has been dealing with the aftermath of a significant cyberattack that occurred in February 2024. The attack, carried out by the AlphV (BlackCat) ransomware group, has caused widespread disruption to healthcare services across the nation.
In response to the attack, UnitedHealth Group has established a safe restore point for the restoration of data and systems. A phased reconnection and testing of Change Healthcare's claims systems are scheduled for completion next week.
The investigation into the attack is being led by the U.S. Department of Health and Human Services (HHS), with the aim of determining if protected health information was stolen and if Change Healthcare complied with privacy and security requirements. UnitedHealth Group reported the breach to HHS, signaling federal involvement and regulatory investigation.
The cyberattack was first detected on UnitedHealth Group's systems on February 21. The source of the intrusion was traced back to Change Healthcare's system. Mandiant and Palo Alto Networks are assisting with the forensic analysis into the attack on Change Healthcare's system. However, UnitedHealth Group has declined to identify the attack vector.
The AlphV ransomware group demanded a $22 million ransom, which was paid by UnitedHealth Group. Despite the payment, data was not deleted as promised; instead, the AlphV group pulled an exit scam and disappeared with the ransom. Subsequently, the affiliate who carried out the attack reportedly passed the stolen data (4TB) to another ransomware group called RansomHub, which demanded an additional ransom and threatened to leak the data if unpaid.
The breach has affected nearly 193 million individuals, making it the largest healthcare data breach in the United States. With potentially up to one in three Americans' protected health information exposed, the breach and its repercussions have been a matter of significant concern.
The outage caused by the cyberattack against Change Healthcare's system has lasted for over three weeks. UnitedHealth Group will share more details about the attack in the coming days.
The cybersecurity landscape for healthcare remains volatile, with related ransomware groups like Embargo ransomware continuing to target healthcare providers with extortion and complex laundering schemes. Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks in the face of these threats.
As of August 2025, these details represent the current known status of the situation. The restoration of UnitedHealth Group's systems and the resolution of the data breach are ongoing.
UnitedHealth Group, acknowledging the privacy implications of the AlphV ransomware attack, is conducting an investigation to determine if protected health information was stolen, with compliance to privacy and security requirements under scrutiny. In an effort to address the ransomware attack, UnitedHealth Group has employed the expertise of Mandiant and Palo Alto Networks to assist with the forensic analysis of Change Healthcare's compromised system. Despite paying the initial ransom demanded by AlphV, UnitedHealth Group faces the additional threat of another ransomware group, RansomHub, who now possesses the stolen data and has demanded an extra ransom, highlighting the volatile and complex nature of today's cybersecurity landscape in healthcare technology.
