Skip to main content

The Change Healthcare Ransomware Attack: How One Missing Control Crippled a Nation

In February 2024, the United States experienced the largest healthcare data breach in its history a single ransomware attack that exposed nearly 200 million people’s medical and personal information and disrupted hospitals, pharmacies, and insurers across the country. 

 

  • This wasn’t a sophisticated zeroday exploit. 
  • It wasn’t a nationstate superweapon. 
  • It wasn’t an AIpowered cyberapocalypse.

 

It was a single stolen password and a remote access system with no MFA.

 

The Change Healthcare attack is the clearest demonstration yet of how fragile critical infrastructure becomes when identity security is treated as optional.

 

How the Attack Happened

The attackers the ALPHV/BlackCat ransomware group gained access through a Citrix remote access portal that was protected only by a username and password. No MFA. No conditional access. No behavioural analytics.

Once inside, they spent nine days moving laterally, escalating privileges, and exfiltrating data. By the time Change Healthcare detected the intrusion, the attackers had already stolen around 4 terabytes of sensitive information.

This included:

·       medical records 

·       insurance data 

·       patient demographics 

·       internal operational data 

·       financial information 

 

Only after the data was safely exfiltrated did the attackers deploy ransomware across critical systems.

The National Fallout

Change Healthcare sits at the centre of the U.S. healthcare ecosystem. When they shut down their systems to contain the attack, the consequences were immediate and nationwide:

 

·       Pharmacies couldn’t process prescriptions 

·       Hospitals couldn’t verify insurance 

·       Doctors couldn’t submit claims 

·       Payments to providers stopped 

·       Patients were turned away or forced to pay out of pocket 

This wasn’t just a cyber incident it was a systemic failure that exposed how deeply interconnected and dependent modern healthcare has become.

The Ransom and the DoubleCross

UnitedHealth, Change Healthcare’s parent company, paid a $22 million ransom in an attempt to recover systems and prevent data release.

But the story didn’t end there.

ALPHV’s leadership stole the ransom from their own affiliate, who then retaliated by leaking more data and partnering with another extortion group, RansomHub, to demand a second payment.

The lesson was brutal but clear: 

Paying a ransom does not guarantee safety, recovery, or data deletion.

The Final Impact: Nearly 200 million People Affected

The breach ultimately exposed the data of around 192 million individuals, making it the largest medical data breach ever recorded.

This wasn’t just a corporate failure it was a national security event.

 Why This Attack Matters

The Change Healthcare incident is a case study in modern cyber risk:

1.       Identity is the new perimeter

One missing MFA control allowed attackers to compromise a national healthcare backbone.

2.       Critical infrastructure is only as strong as its weakest authentication point

A single remote access portal became the entry point for a nationwide outage.

3.       Ransomware groups are evolving into chaotic criminal ecosystems

Affiliates, operators, and data brokers are now turning on each other and on victims.

4.       Paying ransom is no longer a viable strategy

The data was still leaked. The extortion continued. The attackers fought among themselves.

5.       Healthcare remains one of the most vulnerable sectors

Highvalue data, legacy systems, and operational urgency make it a perfect target.

The Real Lesson: Cybersecurity Isn’t About Tools It’s About Discipline

The Change Healthcare attack didn’t happen because of a lack of technology. 

It happened because of a lack of basic security hygiene.

  •  MFA wasn’t enforced 
  • Remote access wasn’t hardened 
  • Lateral movement wasn’t detected 
  • Data exfiltration wasn’t flagged 
  • Privileged access wasn’t monitored 

This wasn’t a failure of innovation.  It was a failure of fundamentals.


Comments

Post a Comment

Popular posts from this blog

Root of the Problem: Linux Flaws That Give Attackers Admin Rights

 I realised that I haven’t posted to my blog in a long time and this week an article about CVE’s in linux caught my eye and that was the perfect excuse to write another blog post. Cybersecurity researchers at Qualys have uncovered two critical local privilege escalation (LPE) flaws that are shaking the foundations of Linux security. These aren't your run-of-the-mill vulnerabilities; we're talking about direct, express lanes to full root access on major Linux distributions. If you use Ubuntu, Debian, Fedora, openSUSE Leap 15, or SUSE Linux Enterprise 15, you need to pay close attention. The Double Threat: CVE-2025-6018 & CVE-2025-6019 An article detailing the CVE’s can be found at the link below ( CVE-2025-6018 and CVE-2025-6019 Vulnerability Exploitation: Chaining Local Privilege Escalation Flaws Lets Attackers Gain Root Access on Most Linux Distributions | SOC Prime )     Qualys has pulled back the curtain on two distinct, yet chainable, vulnerabilit...
Post a Comment
Read more

From OVA to Rocky: My Wazuh Upgrade Story

  In this blog post I will be covering something I’ve covered in a previous blog post, but I’ve decided to change my home lab and put my Wazuh SIEM on a standalone rocky linux, there are several reasons I chose to do this, Performance & Scalability: The OVA VM is a pre-built virtual machine that may not be optimized for high availability or scalability. A dedicated instance on Rocky Linux allows for better resource allocation and tuning. Customization & Flexibility: The OVA VM comes with predefined configurations. Running Wazuh on Rocky Linux gives you full control over system settings, security policies, and software updates. Compatibility & Stability: Rocky Linux is a stable, enterprise-grade OS, and Wazuh has been tested for compatibility with newer versions like Rocky Linux 9.3. This ensures long-term support and reliability. Security & Isolation: A dedicated instance provides better security isolation compared to a shared virtualized environment. You can impl...
Post a Comment
Read more

Up the Wazuh: A SIEM-ple Adventure in Troubleshooting

Initial setup To start  I downloaded the .osa file from the  wazuh website ( https://wazuh.com ) and then installed it in my virtualbox hypervisor. Then I booted up my fedora linux VM and the wazuh VM with the dashboard and manager on.  After I had logged in to the wazuh VM with the default credentials I used the ip a command to find out the ip address of the wazuh VM. As from reading the documentation I’d need this later. In my fedora VM I opened a terminal and used the commands on the wazuh website to install the agent on the VM. After some time the installation was completed and I had to update the. conf file with the IP address of the wazuh manager. This is important because  the file is a generic file that needs to be modified to make it specific to each individual setup.  All was going well up to this point. I tried to get the fedora VM to talk to the wazuh VM. The problems I encountered It was here the problems started when I tried to pi...
Post a Comment
Read more