Real-Case Analysis #2: Cyberattack on UnitedHealth

calendar icon
March 6, 2024
4 min

Real-Case Analysis #2: Cyberattack on UnitedHealth

One of the biggest and most disruptive cyberattacks on the American healthcare sector occurred in February 2024 when it targeted Change Healthcare, a unit of UnitedHealth Group.

Image source : Investopedia


  • On February 21, 2024, the ransomware group ALPHV/BlackCat breached Change Healthcare's systems, impacting its ability to process medical claims, pharmacy orders, and payments.
  • "Change Healthcare processes around 15 billion healthcare transactions annually, touching 1 in every 3 patient records in the U.S."

Overview of the Cyberattack

The ransomware attack against Change Healthcare, a company of UnitedHealth, was carried out by the cybercriminal gang ALPHV, also referred to as BlackCat. This kind of attack encrypts the victim's data and demands a ransom to unlock it. Frequently, it also includes threats to release the stolen material if the ransom is not paid.

The hackers' first point of access was a weakness in Change Healthcare's server that prevented multifactor authentication (MFA). This fundamental cybersecurity precaution might have stopped unwanted access. Prior to launching the ransomware, the attackers most likely entered the network by phishing or by taking advantage of unpatched vulnerabilities, which allowed them to gain access on and steal confidential information.

Change Healthcare took its systems offline on February 21, 2024, after detecting a cybersecurity threat. This was the start of the attack. The American Hospital Association has issued a public warning about the widespread impact by February 26. BlackCat acknowledged culpability for the hack on February 28. UnitedHealth had already sent the attackers $22 million in Bitcoin by the beginning of March. Significant outages persisted into April despite UnitedHealth's efforts to reduce the impact of the attack and restore services during March and April. It was anticipated that it would require several months to fully restore services.

The cybercriminal group ALPHV/BlackCat, which is driven by financial gain, was found to be the attackers of the attack. Their principal aim was financial benefit, which they attained by demanding ransom payments from their victims. The organization is well-known for its innovative ransomware-as-a-service (RaaS) business model, which gives affiliates access to its ransomware tools in return for a cut of the ransom money. Because of the high value of healthcare data on the dark web and the importance of the services that were disrupted, the attack on Change Healthcare was very profitable because there was a higher chance that the ransom would be paid.

Impact Analysis

Financial Impact

The impact of the cyberattack on finances has been huge. According to UnitedHealth, the attack cost the corporation over $870 million in the first quarter of 2024 alone. The remaining amount was attributable to revenue loss and business interruption, with nearly $600 million going toward system restoration and response measures. It is estimated that the annual cost will be between $1.4 billion and $1.6 billion. In an additional effort to stop the publication of stolen data, UnitedHealth paid the perpetrators a $22 million ransom. The long-term financial impact may be much greater; estimates indicate that ongoing remediation, legal costs, and possible regulatory fines could greatly increase the overall cost.

Operational Impact

The attack significantly disrupted the U.S. healthcare system's operations. Every year, Change Healthcare handles more than 15 billion medical transactions. As a result of the attack, hospital, insurance, pharmacy, and medical group financial activities across the country were severely disrupted. Many healthcare providers experienced cash flow problems as a result of the disruption in payment and claims processing, and some smaller clinics experienced existential financial crises. Additionally, the attack caused a delay in patient care as medical professionals searched for ways to bypass the compromised systems. While UnitedHealth has been attempting to restore services, the process has been labor-intensive and slow; it is anticipated that several months will pass before full restoration occurs.

Lessons Learned

Following the cyberattack on UnitedHealth, here are the lessons learned:

Strengthening Cybersecurity Defenses

Strong cybersecurity protections are essential, and this is one of the main things that can be learned from the UnitedHealth attack. A fundamental yet essential security mechanism, multifactor authentication (MFA), was not present in the Citrix remote access portal that was the target of the attack. To avoid unwanted access, make sure MFA is enabled on all computers with an external facing IP. To quickly identify and neutralize attacks, companies should also invest in robust encryption, automated vulnerability scanning, patch management, endpoint behavioral anti-malware, and Endpoint Detection and Response (EDR).

Modernizing Legacy Systems

The attack brought attention to the weaknesses in legacy technologies. Because Change Healthcare's systems were not separated and some of them were old and the ransomware was able to infect both the primary and backup environments. Modernizing IT infrastructure can greatly increase resistance against attacks, especially if cloud-based systems with integrated security features are adopted. For companies using outdated technology, updating need to be a top concern.

Effective Backup and Recovery Strategies

The attack made it even more important to have trustworthy backup and recovery plans. UnitedHealth's insufficient backup procedures made it difficult for them to reconstruct encrypted systems. In the event of an attack, quick recovery can be guaranteed by following the 3-2-1 backup approach, which calls for three copies of the data on two distinct media and one off-site, as well as routinely testing backups for malware and functionality. Extra security measures can also be added using cloud disaster recovery services.

Investing in Cyber Resilience Skills

Artificial intelligence (AI) and machine learning have contributed to the complexity of cyberattacks, making it necessary for all employees—from board members to frontline staff—to complete ongoing education and training. It is essential to regularly receive cybersecurity awareness training that covers the newest social engineering techniques, such as phishing and MFA fatigue attacks. To help with threat identification and response, organizations should also invest in innovative AI and ML capabilities. These tools offer analytical support for managing large amounts of threat intelligence.

Regulatory Compliance and Oversight

The attack led to intense regulatory scrutiny, including investigations by the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS), among others. To avoid paying large fines and penalties, organizations must make sure they are in compliance with laws like the California Consumer Privacy Act (CCPA) and HIPAA. Regulatory risks can be reduced by proactive interaction with authorities and open communication regarding cybersecurity precautions and incident responses.


Here are the recommendations and actions UnitedHealth Group have implemented:

  • Credit Monitoring and Identity Theft Protection: For a period of two years, anybody who may have been impacted by the breach can take advantage of free credit monitoring and identity theft protection services provided by UnitedHealth. This includes having access to a special call center with licensed clinicians on site to offer assistance.
  • Dedicated Website and Call Center: To help those who have concerns about their personal data, a dedicated website and call center ( have been set up. The number to reach the call center is 1-866-262-5342.
  • Continued Data examination: In order to identify and alert affected clients and individuals, UnitedHealth is carrying out a thorough data examination. Because of the complexity of the data involved, it is anticipated that this process will take several months.
  • Dark Web Monitoring: In order to identify any publication of stolen material, the company actively monitors the internet and dark web in collaboration with external industry specialists. There have only been 22 screenshots discovered on the dark web so far that contain personally identifiable information (PII) and protected health information (PHI), but no additional publications have been located.
  • Return to Normal of Services: When it comes to resuming Change Healthcare's services, UnitedHealth has made significant progress. Prioritized services like processing pharmacy claims, processing medical claims, and processing payments are getting close to pre-incident levels. It is anticipated that other systems will be fully restored in the upcoming weeks.
  • Breach Reporting and Notifications: In an effort to cut down on confusion and redundant work, UnitedHealth has offered to take care of its clients' breach reporting and notification needs. In order to guarantee adherence to health privacy rules, this involves corresponding with regulators and law enforcement.
  • Information on a Regular Basis: UnitedHealth is dedicated to giving regular information on the status of the investigation and the restoration of services. Keeping the public and stakeholders informed through press releases and specialized websites is part of this.

(Added the section "Recommendations" and updated on 2024-04-22 after reading the article UnitedHealth Group Updates on Change Healthcare Cyberattack)