The Largest Health Data Breach in U.S. History

In February 2024, a ransomware attack on UnitedHealth-owned Change Healthcare rocked the U.S. healthcare system. This wasn’t just another cyberattack—it was a seismic event that exposed the personal and medical data of 190 million Americans, nearly double the initial estimate. The fallout? A wake-up call for the entire healthcare industry.

The Day Everything Changed

It started like any other Wednesday. But on February 21, 2024, billing systems across doctors’ offices and healthcare practices ground to a halt. Insurance claims stopped processing. Change Healthcare’s status page lit up with outage notifications. The company confirmed it was facing a “network interruption related to a cybersecurity issue.” Translation: They were under attack.

“The outage was sudden. It was chaos.”

— Anonymous Healthcare Provider

How the Hackers Got In

The hackers, later identified as the Russian-speaking ransomware gang ALPHV/BlackCat, infiltrated Change Healthcare’s systems on or around February 12. They exploited a single set password on a user account lacking multi-factor authentication—a basic security measure. Once inside, they moved freely through poorly segmented IT systems, stealing sensitive data and wreaking havoc.

• February 21: Change Healthcare shuts down its network to isolate intruders.
• February 29: UnitedHealth confirms the attack was carried out by ALPHV/BlackCat.
• March 3: ALPHV claims to have stolen $22 million in ransom and disappears.

The Domino Effect

The attack didn’t just hit Change Healthcare—it crippled the entire healthcare sector. Pharmacies couldn’t fill prescriptions. Patients paid out of pocket. Military health provider TriCare reported global disruptions. The American Medical Association criticized UnitedHealth for its lack of transparency, as the outages continued to ripple across the industry.

“This wasn’t just a breach—it was a systemic failure.”

— Cybersecurity Expert

Double Extortion: A New Low

By mid-April, the aggrieved ALPHV affiliate resurfaced as RansomHub, demanding a second ransom. They published a portion of the stolen files as proof of their threat. This tactic, known as double extortion, is a grim reminder of why paying ransoms is a dangerous game.

• April 22: UnitedHealth confirms the breach affects a “substantial proportion of people in America.”
• June 20: Change Healthcare begins notifying affected individuals.

The Aftermath: A Breach of Epic Proportions

By late 2025, the scale of the breach became clear. 190 million Americans—more than half the U.S. population—had their private health information stolen. The breach exposed medical records, diagnoses, medications, test results, and even financial information. Nebraska filed a lawsuit against Change Healthcare, accusing the company of security failings that allowed the breach to occur.

“This was entirely preventable. Multi-factor authentication could have stopped it.”

— Andrew Witty, CEO of UnitedHealth Group

Lessons Learned

The Change Healthcare breach is a stark reminder of the vulnerabilities in our healthcare system. It underscores the importance of:

• Multi-factor authentication: A simple step that could have prevented the breach.
• Better IT segmentation: Limiting hackers’ ability to move freely within systems.
• Transparency: Keeping stakeholders informed during a crisis.

As the dust settles, one thing is clear: The healthcare industry must prioritize cybersecurity to protect the sensitive data of millions. The stakes are too high to ignore.