In February 2024, **Change Healthcare**, a subsidiary of UnitedHealth Group, fell victim to a **ransomware attack** orchestrated by the **BlackCat (ALPHV) cybercrime group**. The breach compromised the **protected health information (PHI) of approximately 192.7 million individuals**, making it one of the largest healthcare data breaches in U.S. history. The attack disrupted critical operations, including **pharmacy services, claims processing, and electronic prescribing systems**, causing widespread delays in patient care and financial transactions across the healthcare sector. The incident forced Change Healthcare to **shut down multiple systems** to contain the breach, leading to **operational outages** and **financial losses** for healthcare providers, pharmacies, and insurers reliant on its infrastructure. The company reportedly **paid a $22 million ransom** to restore systems, though data exfiltration had already occurred. The breach exposed **sensitive patient data**, including medical records, insurance details, and personally identifiable information (PII), raising concerns over **long-term identity theft and fraud risks**. Regulatory investigations by the **U.S. Department of Health and Human Services (HHS)** and potential **class-action lawsuits** further compounded the fallout, underscoring systemic vulnerabilities in healthcare cybersecurity.
TPRM report: https://www.rankiteo.com/company/change-healthcare
"id": "cha0555405090425",
"linkid": "change-healthcare",
"type": "Ransomware",
"date": "2/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '192.7 million individuals',
'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Change Healthcare',
'type': 'Healthcare IT Company'},
{'customers_affected': '23M+ individuals (H1 2025 '
'breaches)',
'industry': 'Healthcare',
'location': 'U.S.',
'name': 'U.S. Healthcare Providers (HHS '
'Investigations)',
'type': ['Hospitals', 'Clinics', 'Diagnostic Centers']},
{'industry': 'Healthcare/Manufacturing',
'location': 'Global',
'name': 'Global Medical Device Manufacturers',
'type': 'Medical Device OEMs'}],
'attack_vector': ['Ransomware (e.g., Change Healthcare, Feb 2024)',
'AI-driven automated attacks (phishing, vulnerability '
'scanning)',
'IoMT/Connected Device Exploitation',
'Data Breaches (23M+ records in first 5 months of 2025)'],
'customer_advisories': ['Change Healthcare patient notification (2024)',
'General alerts from affected healthcare providers'],
'data_breach': {'data_encryption': 'Lack of encryption cited as a '
'vulnerability in breaches',
'data_exfiltration': 'Confirmed in ransomware attacks (e.g., '
'Change Healthcare)',
'file_types_exposed': ['EHRs',
'Diagnostic images',
'Billing records',
'Device logs'],
'number_of_records_exposed': '215.7M+ (aggregated from '
'2024–2025 incidents)',
'personally_identifiable_information': 'Yes (names, SSNs, '
'medical histories)',
'sensitivity_of_data': 'High (health records, financial data, '
'biometric data)',
'type_of_data_compromised': ['Protected Health Information '
'(PHI)',
'Personally Identifiable '
'Information (PII)',
'Medical device operational '
'data']},
'date_publicly_disclosed': '2025-09-04',
'description': 'The global medical device security market is experiencing '
'rapid growth (CAGR 8.8%, 2025–2032) due to increasing '
'cyberattacks on healthcare systems and IoT-enabled medical '
'devices. Key incidents include the Change Healthcare '
'ransomware attack (Feb 2024, 192.7M records compromised) and '
'307 HHS-investigated breaches in H1 2025. High implementation '
'costs and AI-driven threats (e.g., automated phishing, '
'ransomware) are major challenges, while AI-based security '
'solutions (e.g., Health Catalyst’s BluePrint Protect™) and '
'cloud-based protections are emerging trends. Regulatory '
'compliance and IoMT expansion are driving demand for '
'encryption, IAM, and endpoint security solutions.',
'impact': {'brand_reputation_impact': ['Erosion of patient trust in digital '
'health technologies',
'Reputational damage to affected '
'healthcare providers (e.g., Change '
'Healthcare)'],
'data_compromised': '215.7M+ records (Change Healthcare: 192.7M; '
'H1 2025 breaches: 23M+)',
'identity_theft_risk': 'High (PII/PHI exposure in 200M+ records)',
'legal_liabilities': ['Potential HIPAA violations (U.S.) and GDPR '
'(EU) fines',
'Class-action lawsuits from affected '
'patients'],
'operational_impact': ['Disruption of patient care services (e.g., '
'delayed diagnoses/treatments)',
'Increased IT security overhead for '
'healthcare providers',
'Regulatory scrutiny and compliance '
'burdens'],
'systems_affected': ['IoT-enabled medical devices (wearables, '
'implantables, diagnostic tools)',
'Hospital networks and EHR systems',
'Cloud-based healthcare platforms']},
'initial_access_broker': {'backdoors_established': 'Likely in long-term '
'campaigns (e.g., '
'ransomware groups)',
'data_sold_on_dark_web': 'Confirmed in multiple '
'breaches (PHI/PII)',
'entry_point': ['Exploited vulnerabilities in '
'unpatched medical devices',
'Phishing emails targeting '
'healthcare employees',
'Compromised third-party vendors '
'(e.g., IT service providers)'],
'high_value_targets': ['EHR systems',
'Diagnostic imaging devices',
'Insulin pumps/pacemakers '
'(life-critical devices)']},
'investigation_status': 'Ongoing (HHS investigations into 2025 breaches; '
'market trends analysis)',
'lessons_learned': ['IoMT devices require built-in security by design, not '
'bolt-on solutions.',
'AI-driven attacks necessitate AI-powered defense '
'mechanisms.',
'Legacy medical devices are high-risk targets; '
'segmentation is critical.',
'Regulatory compliance is a minimum baseline, not a '
'substitute for proactive security.'],
'motivation': ['Financial gain (ransomware, data theft for dark web sales)',
'Espionage (theft of sensitive health data)',
'Disruption of critical healthcare services'],
'post_incident_analysis': {'corrective_actions': ['FDA’s 2023 cybersecurity '
'requirements for new '
'medical devices',
'Adoption of ISS Secure '
'Platform for Medical '
'(ISS-SPM) by manufacturers',
'Healthcare provider '
'investments in AI-based '
'security (e.g., BluePrint '
'Protect™)'],
'root_causes': ['Inadequate security-by-design in '
'IoMT devices',
'Delayed patch management for '
'known vulnerabilities',
'Over-reliance on perimeter '
'security without segmentation',
'Lack of AI-driven threat '
'detection in legacy systems']},
'ransomware': {'data_encryption': 'Used in Change Healthcare attack (Feb '
'2024)',
'data_exfiltration': 'Double extortion tactic observed'},
'recommendations': ['Adopt zero-trust architectures for medical device '
'networks.',
'Implement AI-based anomaly detection (e.g., Health '
'Catalyst’s BluePrint Protect™).',
'Prioritize encryption for data at rest and in transit in '
'medical devices.',
'Invest in employee training to counter AI-generated '
'phishing attacks.',
'Collaborate with cybersecurity firms for continuous '
'threat intelligence sharing.'],
'references': [{'date_accessed': '2025-09-04',
'source': 'Coherent Market Insights (CMI)',
'url': 'https://www.coherentmarketinsights.com/insight/request-sample/8415'},
{'source': 'U.S. Department of Health and Human Services (HHS)',
'url': 'https://www.hhs.gov'},
{'date_accessed': '2024-11-01',
'source': 'Health Catalyst Press Release (AI Cyber Protection '
'Solution)'}],
'regulatory_compliance': {'legal_actions': ['HHS investigations into 307 '
'breaches (H1 2025)',
'Potential class-action lawsuits'],
'regulations_violated': ['HIPAA (U.S.)',
'GDPR (EU)',
'FDA medical device '
'cybersecurity guidelines'],
'regulatory_notifications': ['Mandatory breach '
'reporting under '
'HIPAA/GDPR',
'FDA pre-market '
'cybersecurity '
'submissions for new '
'devices']},
'response': {'communication_strategy': ['Public disclosures (e.g., HHS breach '
'reports)',
'Patient notification campaigns '
'(where applicable)'],
'containment_measures': ['Deployment of AI-based threat '
'detection (e.g., BluePrint Protect™)',
'Network segmentation for IoMT devices',
'Endpoint security upgrades'],
'enhanced_monitoring': 'AI-driven real-time threat analysis',
'network_segmentation': 'Prioritized for IoMT ecosystems',
'remediation_measures': ['Patch management for vulnerable '
'medical devices',
'Enhanced IAM and encryption solutions',
'Dark web monitoring for stolen data'],
'third_party_assistance': ['Cybersecurity firms (e.g., INTEGRITY '
'Security Services, Health Catalyst)',
'Regulatory bodies (HHS, FDA, EU '
'agencies)']},
'stakeholder_advisories': ['FDA guidance on medical device cybersecurity '
'(2023)',
'HHS cybersecurity best practices for healthcare '
'providers'],
'threat_actor': ['Cybercriminal groups leveraging AI tools (e.g., Claude '
'Code)',
'Ransomware operators targeting healthcare (e.g., Change '
'Healthcare attackers)',
'Initial Access Brokers (IABs) selling medical device access '
'on dark web'],
'title': 'Rising Cyberattacks on IoT-Enabled Medical Devices Fueling Growth '
'in Medical Device Security Market',
'type': ['Cyberattack Trend Analysis', 'Market Growth Driver'],
'vulnerability_exploited': ['Unsecured IoT/wearable medical devices (34.5% '
'market share in 2025)',
'Legacy system vulnerabilities in healthcare IT',
'Lack of network segmentation in medical device '
'ecosystems',
'Weak identity and access management (IAM) '
'protocols']}