Change Healthcare, a subsidiary of UnitedHealth, suffered a devastating cyberattack in 2024 carried out by affiliates of the ALPHV ransomware group. The attack resulted in the theft of sensitive data belonging to approximately **100 million Americans**, including personal, medical, and financial records. Beyond data exfiltration, the incident caused massive operational disruptions, crippling healthcare services nationwide. UnitedHealth reported cleanup costs exceeding **$2 billion** within a year, with severe financial strain on suppliers and providers. The breach exposed systemic cybersecurity negligence, leading to lawsuits and regulatory scrutiny. The attack’s ripple effects extended to delayed treatments, financial losses for healthcare entities, and long-term reputational damage to UnitedHealth. The incident underscored the vulnerability of critical healthcare infrastructure to ransomware, with attackers showing no remorse despite life-threatening consequences for patients, including disrupted cancer surgeries and at least one confirmed death linked to the attack’s fallout in London hospitals (via Qilin’s later ransomware strike).
Source: https://www.theregister.com/2025/09/18/850k_americans_affected_by_medical/
TPRM report: https://www.rankiteo.com/company/change-healthcare
"id": "cha0892008100325",
"linkid": "change-healthcare",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 456385,
'industry': 'Healthcare',
'location': 'North Carolina, USA',
'name': 'Goshen Medical Center',
'type': 'Healthcare Provider'},
{'customers_affected': 153429,
'industry': 'Healthcare (Ophthalmology)',
'location': 'Florida, USA (22 locations across east, '
'west, and gulf coasts)',
'name': 'Retina Group of Florida',
'type': 'Healthcare Provider'},
{'customers_affected': 246711,
'industry': 'Healthcare',
'location': 'Brevard, Florida, USA',
'name': 'Medical Associates of Brevard (MAB)',
'type': 'Healthcare Provider'}],
'customer_advisories': ['Credit monitoring services offered',
'Breach letters mailed to victims'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 855787,
'personally_identifiable_information': True,
'sensitivity_of_data': ['High (PII, PHI, financial data)'],
'type_of_data_compromised': ['Personal Information (names, '
'dates of birth)',
'Social Security Numbers (SSNs)',
'Driver’s License/State ID '
'Numbers',
'Medical Record Numbers',
'Medical Treatment Information',
'Health Insurance Information',
'Financial Account Information '
'(limited subset at MAB)']},
'date_detected': ['2024-03-04 (Goshen Medical Center)',
'2024-11-09 (Retina Group of Florida)'],
'date_publicly_disclosed': ['2024-09-16 (Retina Group of Florida)'],
'description': 'Cybercriminals executed three major digital burglaries at US '
'healthcare providers—Goshen Medical Center (North Carolina), '
'Retina Group of Florida, and Medical Associates of Brevard '
'(Florida)—compromising the personal and medical data of '
'nearly 855,787 Americans within a week. The breaches exposed '
'sensitive information including SSNs, driver’s license '
'numbers, medical records, and financial data. While '
'healthcare delivery was reportedly unaffected, the incidents '
'underscore the persistent targeting of the sector by threat '
'actors, with historical parallels to high-impact attacks like '
'the 2024 Change Healthcare breach (100M records, $2B+ costs) '
'and Qilin’s ransomware assault on London hospitals (resulting '
'in delayed surgeries and a confirmed death).',
'impact': {'brand_reputation_impact': ['High (massive breaches in healthcare '
'sector)',
'Credit monitoring offered to 855,787 '
'individuals'],
'customer_complaints': ['Potential lawsuits (e.g., Levi & '
'Korsinsky investigating Retina Group of '
'Florida)'],
'data_compromised': True,
'identity_theft_risk': ['High (SSNs, driver’s license numbers, '
'medical records exposed)'],
'legal_liabilities': ['Potential lawsuits',
'Regulatory notifications to state attorneys '
'general and HHS'],
'operational_impact': 'None reported (healthcare delivery '
'unaffected)',
'payment_information_risk': ['Limited subset of 246,711 '
'individuals (Medical Associates of '
'Brevard)']},
'initial_access_broker': {'data_sold_on_dark_web': ['Potential (historical '
'context suggests dark '
'web sales)'],
'high_value_targets': ['PII, PHI, financial data'],
'reconnaissance_period': ['~1 month (Goshen: Feb '
'15–Mar 4 detection)']},
'investigation_status': ['Ongoing (e.g., Retina Group of Florida under legal '
'scrutiny)'],
'lessons_learned': ['Healthcare sector remains a prime target for '
'cybercriminals due to high-value data.',
'Delayed detection (e.g., Goshen’s 1-month gap) '
'exacerbates exposure risks.',
'Proactive monitoring and rapid response are critical to '
'mitigating impact.',
'Credit monitoring is now standard but insufficient for '
'long-term trust restoration.'],
'motivation': ['Data Theft', 'Financial Gain (potential sale on dark web)'],
'post_incident_analysis': {'corrective_actions': ['Mandatory credit '
'monitoring for victims',
'Regulatory filings and '
'legal disclosures',
'Potential '
'litigation-driven security '
'overhauls (e.g., Retina '
'Group of Florida)'],
'root_causes': ['Inadequate intrusion detection '
'(delayed breach discovery)',
'Likely exploitation of unpatched '
'vulnerabilities or phishing',
'Insufficient segmentation of '
'sensitive data']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Enhance intrusion detection systems to reduce dwell '
'time.',
'Implement stricter access controls for high-value data '
'(e.g., SSNs, PHI).',
'Conduct regular third-party security audits to identify '
'vulnerabilities.',
'Develop incident response playbooks tailored to '
'healthcare-specific threats.',
'Invest in employee training to recognize phishing/social '
'engineering attacks.'],
'references': [{'source': 'The Register'},
{'source': 'Goshen Medical Center Breach Notice'},
{'date_accessed': '2024-09-16',
'source': 'Retina Group of Florida HHS Filing'},
{'source': 'Medical Associates of Brevard Breach Letter (PDF)'},
{'source': 'Levi & Korsinsky Law Firm Investigation'}],
'regulatory_compliance': {'legal_actions': ['Investigation by law firms '
'(e.g., Levi & Korsinsky for '
'Retina Group of Florida)'],
'regulations_violated': ['Potential HIPAA '
'violations (PHI '
'exposure)'],
'regulatory_notifications': ['State attorneys '
'general',
'Department of Health '
'and Human Services '
'(HHS)']},
'response': {'communication_strategy': ['Breach notification letters to '
'affected individuals',
'Public disclosures (e.g., Retina '
'Group’s report to state AGs and HHS)',
'PDF letter posted on MAB’s website'],
'incident_response_plan_activated': True,
'remediation_measures': ['Credit monitoring and identity '
'protection services offered to all '
'855,787 affected individuals']},
'stakeholder_advisories': ['Breach notifications to state AGs, HHS, and '
'affected individuals'],
'title': 'Massive Healthcare Data Breaches Affecting Nearly a Million '
'Americans in Three Separate Incidents',
'type': ['Data Breach', 'Unauthorized Access']}