Blog
← Back to Blog
February 25, 2024 medical

Change Healthcare Breach: The Largest Healthcare Data Breach in History

Healthcare system disruption and data breach

On February 21, a ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group that processes approximately 15 billion healthcare transactions annually, brought healthcare claims processing across the United States to a halt. Pharmacies couldn't process prescriptions. Providers couldn't submit claims. Revenue cycle management ground to a stop.

This isn't just a data breach. It's a systemic failure that has affected nearly every healthcare provider in America.

The Scale

  • 100+ million patients' data potentially compromised
  • $22 million ransom reportedly paid by UnitedHealth Group
  • Weeks of claims processing disruption nationwide
  • $1+ billion estimated total cost to UnitedHealth Group
  • Every healthcare vertical affected: dental, medical, behavioral health, pharmacy

What Happened

The ALPHV/BlackCat ransomware group gained access to Change Healthcare's systems through compromised credentials on a Citrix remote access portal that lacked multi-factor authentication. Once inside, they exfiltrated data for nine days before deploying ransomware.

A Citrix portal. Without MFA. Processing 15 billion healthcare transactions per year.

Eight years of this blog. Eight years of saying "enable MFA." The largest healthcare breach in history was caused by its absence on a single access point.

Impact on Practices

Claims Processing

Practices that rely on Change Healthcare for claims submission and payment processing have been unable to bill insurance companies. Cash flow disruptions have been severe, particularly for small practices with limited reserves.

Prescription Processing

Pharmacies using Change Healthcare's systems couldn't verify insurance coverage or process claims, leading to delays in patient prescriptions.

Data Exposure

The stolen data potentially includes: patient names, addresses, dates of birth, SSNs, insurance information, clinical data, and billing records. If your practice submitted claims through Change Healthcare, your patients' data may be affected.

What to Do

  1. Assess your exposure. Does your practice use Change Healthcare directly or through a clearinghouse? Contact your billing service to determine your exposure.
  2. Monitor for notification. UnitedHealth Group is required to notify affected individuals. Monitor their website and communications for updates.
  3. Prepare for patient questions. Patients will ask whether their data was compromised. Have a response ready that's honest about what you know and don't know.
  4. Diversify your clearinghouse. Single points of failure in your revenue cycle are business risks. Consider using multiple clearinghouses.
  5. Review your own access controls. If Change Healthcare can be breached through a Citrix portal without MFA, audit your own remote access for the same vulnerability.

One missing MFA configuration. 100 million patients affected. There is no stronger argument for the fundamentals.