The Change Healthcare Cyberattack: What Happened, Who Was Impacted, and What It Means for Healthcare

Quick Summary of Change Healthcare Debacle

On Wednesday, February 21, 2024, Change Healthcare—a subsidiary of UnitedHealth Group (UHG)—suffered a major cyberattack that disrupted healthcare operations nationwide. UnitedHealth Group processes more than 15 billion claims annually, representing approximately $1.5 trillion in medical claims, and Change Healthcare is estimated to provide clearinghouse services to nearly 50% of all healthcare providers in the United States.

An attack of this scale was not just a single-company incident—it became a real-world stress test for the healthcare system itself. Understanding who was impacted, how the breach occurred, and what has happened since is critical for evaluating whether healthcare is meaningfully more secure today than it was before the attack.

How Did the Breach Occur?

Following the February 21 attack, the House Energy and Commerce Committee launched an investigation into the incident. Early findings revealed that the breach stemmed from a lack of multifactor authentication on certain critical systems. This security gap allowed attackers to gain access to sensitive infrastructure, ultimately exposing the personal health information of an estimated one-third of Americans. Despite UnitedHealth Group paying a reported $22 million ransom, the company has acknowledged that it cannot guarantee that the stolen data will not be leaked or misused in the future. Federal agencies and industry partners have since worked to contain the damage, support affected individuals, and reassess cybersecurity controls across the healthcare sector.

Patients Were Affected First—and Longest

While hospitals and providers faced operational disruptions, patients experienced immediate, personal consequences. Many were unable to fill prescriptions at pharmacies, while others faced delays in care. The more enduring harm lies in the exposure of personal health information. Medical identity theft has long been a target for cybercriminals, enabling fraudulent billing, false referrals, and financial crimes unrelated to healthcare. Studies indicate that many patients are unaware that their data has been compromised, and the average cost to resolve medical identity theft can exceed $13,500.

For Medicare beneficiaries and fixed-income patients, this financial burden is often unrealistic.

Chronological Updates of Breach

Q4 Update on Change Healthcare

By mid-2024, it became clear that the situation was more complex than initially understood. The original February attack was attributed to the ALPHV (also known as BlackCat) ransomware group. However, a second ransomware group known as RansomHub later claimed it had access to the same stolen data and issued additional ransom demands. These developments intensified operational strain across the healthcare sector. Hospitals and providers reported prolonged claims processing delays, cash flow interruptions, and downstream impacts on patient care. Approximately 74% of hospitals reported negative effects on patient care, while 94% reported financial distress as a direct result of the disruption.

Q2 2024 Update on Change Healthcare

By mid-2024, it became clear that the situation was more complex than initially understood. The original February attack was attributed to the ALPHV (also known as BlackCat) ransomware group. However, a second ransomware group, RansomHub, later claimed it had access to the same stolen data and issued additional ransom demands. These developments intensified operational strain across the healthcare sector. Hospitals and providers reported prolonged claims processing delays, cash flow interruptions, and downstream impacts on patient care. Approximately 74% of hospitals reported negative effects on patient care, while 94% reported financial distress as a direct result of the disruption.

Optum’s Role and Market Implications

Optum, another UnitedHealth Group subsidiary, announced financial assistance programs for affected providers—an action some viewed as necessary stabilization and others as an effort to prevent customer attrition. Whether these measures are sufficient to preserve long-term trust and market share remains to be seen.

Organizational Impacts

CMS Intervention and Financial Relief Efforts

To address the widespread disruption, the Centers for Medicare & Medicaid Services (CMS) implemented the Change Healthcare/Optum Payment Disruption (CHOPD) program. This initiative provided accelerated and advanced payments to healthcare providers affected by the outage.



The CHOPD program concluded on July 12, 2024, having distributed more than $3.2 billion in relief payments to over 8,900 providers and suppliers. While the program helped stabilize cash flow in the short term, it did not resolve longer-term operational or security concerns.

Legal and Financial Fallout



Multiple lawsuits have since been filed against Change Healthcare, focusing on the financial, operational, and reputational damage suffered by hospitals and providers. These cases are expected to take years to resolve and may ultimately shape future expectations around cybersecurity accountability in healthcare.

UnitedHealth Group has also established financial assistance programs to help offset provider losses, though questions remain about whether these measures adequately compensate for prolonged disruptions and administrative burden.

Operational Disruptions Across Healthcare

The cyberattack disrupted far more than claims submission. Pharmacy services, eligibility verification, prior authorization workflows, and payment processing were all impacted. For many organizations, the outage exposed a lack of redundancy and contingency planning within core revenue-cycle infrastructure. CMS’s emergency payment programs helped mitigate immediate harm, but they did not address systemic dependence on centralized clearinghouse infrastructure.

Notifications, Data Exposure, and Security Measures

Change Healthcare began notifying customers and providers about compromised data in the months following the attack. Notifications to affected individuals were expected to be mailed by late July 2024. The Department of Health and Human Services (HHS) has remained involved in oversight and breach notification compliance. The long-term risk associated with the exposure of protected health information remains significant, particularly given the scale of the data involved.

The Cost of the Response

UnitedHealth Group has since revised its financial estimates for responding to the cyberattack. The total cost is now projected to fall between $2.3 billion and $2.45 billion, substantially higher than earlier projections. These figures include remediation efforts, business disruption, provider support, and long-term security investments.

Systematic Wakeup Call for Healthcare

The Change Healthcare cyberattack was not simply a failure of one organization’s security controls—it exposed a structural vulnerability across the U.S. healthcare system when a single clearinghouse processes such a significant share of the nation’s claims, eligibility checks, and payment workflows, an outage of this magnitude becomes a national healthcare event rather than a corporate incident.

The attack demonstrated how deeply healthcare operations depend on centralized infrastructure and how quickly disruptions cascade across providers, pharmacies, payers, and patients. While emergency actions by CMS and financial relief efforts helped stabilize short-term cash flow, they did not address the underlying risks related to concentration, redundancy, and cybersecurity governance.

For providers and payers alike, the long-term implications extend beyond financial loss. The exposure of protected health information, the operational paralysis hospitals face, and the prolonged uncertainty patients experience underscore the need for stronger security standards, layered contingency planning, and greater transparency and accountability across healthcare technology vendors.

Ultimately, this incident should be viewed as a warning rather than an anomaly. Cyber threats targeting healthcare are becoming more sophisticated, more coordinated, and more damaging. Preventing future disruptions will require not only improved technical safeguards, such as multifactor authentication and segmentation, but also systemic changes in how critical healthcare infrastructure is designed, regulated, and monitored.

Whether sufficient lessons have been learned remains an open question. What is clear is that healthcare cannot afford to treat this event as an isolated failure. The resilience of the entire system depends on what changes follow.