Skip to main content
3SN3rd Stone Networks Logo
NewsFeb 21, 20242 min read

Change Healthcare Ransomware: Healthcare Payments in Crisis

A ransomware attack on Change Healthcare, the largest health payment processor in the United States, disrupted medical billing nationwide and exposed sensitive patient data.

By 3SN Editorial
#Change Healthcare#Ransomware#Healthcare#ALPHV#Data Breach
Change Healthcare Ransomware: Healthcare Payments in Crisis
Healthcare Security
Feb 21, 20243SN Newsroom

Change Healthcare Ransomware: Healthcare Payments in Crisis

A ransomware attack on Change Healthcare, the largest health payment processor in the United States, disrupted medical billing nationwide and exposed sensitive patient data.

Change Healthcare Ransomware: Healthcare Payments in Crisis

TL;DR

  • Change Healthcare, processing one in three US medical claims, suffered a ransomware attack that shut down payment processing systems nationwide.
  • The ALPHV ransomware group claimed responsibility for the attack, which disrupted pharmacy operations, medical billing, and claims processing for weeks.
  • The incident exposed sensitive health data of millions of patients and highlighted the systemic risk of consolidated healthcare infrastructure.

The short version

When the largest health payment processor in the United States is hit with ransomware, the entire healthcare system feels the impact. Change Healthcare processes one in three US medical claims. When they went down, pharmacies could not fill prescriptions. Doctors could not get paid. Hospitals faced cash flow crises. The ALPHV ransomware group claimed responsibility, and despite a $22 million ransom payment, recovery took weeks. The incident is a stark reminder of how concentrated infrastructure creates systemic risk. One breach does not just affect one company. It affects everyone who depends on them.

Why this matters beyond a single product

This is a story about consolidation and systemic risk. Healthcare has become increasingly centralized, with a few large processors handling transactions for the entire industry. This creates efficiency but also fragility. When Change Healthcare was compromised, the effects were not contained. They spread through the entire ecosystem. The lesson applies to any industry with similar concentration. If your business depends on a single vendor for critical functions, you have inherited their risk profile. This is not just a technical issue. It is a business continuity and vendor management issue. Organizations must evaluate not just whether their vendors are secure, but whether they could continue operations if those vendors became unavailable.

Practical next steps for teams

Start with your critical vendor list. Which vendors, if compromised, would shut down your operations? Do you have alternatives? Have you tested failover procedures? For healthcare organizations specifically, this incident should prompt a review of business continuity plans with a focus on payment processing and claims submission. What happens if your primary clearinghouse is unavailable for days or weeks? The time to answer that question is before the next incident, not during it.

3SN perspective

Security must be practical. Healthcare organizations are under immense pressure to deliver care while managing complex regulatory and operational requirements. They cannot afford security that slows them down or creates barriers to patient care. We believe the answer is security that fits naturally into healthcare workflows, with clear visibility into vendor risks and straightforward plans for when things go wrong. The Change Healthcare incident shows that resilience comes not just from preventing attacks, but from being prepared to continue operations even when they occur.

What happened

On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group and the largest health payment processor in the United States, disclosed a ransomware attack that forced the shutdown of critical systems. The ALPHV ransomware group claimed responsibility. The attack encrypted systems and exfiltrated data, causing a nationwide disruption to healthcare payment processing. Pharmacies could not process prescriptions through insurance. Healthcare providers could not submit claims or receive payments. The effects rippled through the entire US healthcare system, affecting an estimated one in three medical claims. Change Healthcare eventually paid approximately $22 million in ransom, but the recovery took weeks and the full scope of data exposure took months to determine.

Who’s affected

The impact was felt across the entire US healthcare ecosystem. Patients faced delays filling prescriptions and uncertainty about their data. Healthcare providers, from small practices to major hospitals, lost revenue and faced cash flow crises because they could not submit claims or receive payments. Pharmacies experienced system outages preventing insurance processing. The breach affected millions of individuals whose health information may have been exposed, including personal identifiers, medical records, and financial information.

What to do now

  1. Review business continuity plans to ensure operational resilience when critical vendors experience outages.
  2. Assess third-party risk management practices, particularly for vendors with systemic importance to your operations.
  3. Monitor for identity theft and credit fraud if you believe your health data may have been exposed.

Technical analysis

Mitigations & recommendations

high

Diversify critical vendor dependencies

Evaluate whether your organization relies too heavily on single vendors for critical functions. Consider backup vendors and business continuity arrangements.

high

Strengthen third-party risk assessments

Conduct thorough security assessments of vendors with systemic importance. Include ransomware response capabilities and business continuity planning in evaluations.

high

Develop healthcare-specific incident response

Create incident response plans that account for the unique operational and regulatory requirements of healthcare, including patient care continuity and HIPAA considerations.

medium

Monitor for identity and medical fraud

If your data was potentially exposed, monitor credit reports, medical records, and insurance statements for signs of fraudulent activity.

References

Change Healthcare Cyberattack Update
UnitedHealth Group2024-02-28
HHS Statement on Change Healthcare Cybersecurity Incident
HHS2024-03-05
CISA Alert: Ransomware Targeting Healthcare
CISA2024-02-29

Related Articles

Explore more insights and updates from our security experts

SmarterMail Auth Bypass: When Password Reset Becomes Initial Access
Vulnerability Management
Feb 10, 20261 min read

SmarterMail Auth Bypass: When Password Reset Becomes Initial Access

CISA added a SmarterMail auth bypass to the KEV catalog after active exploitation. Here is what it means, how it works at a high level, and what to do first.

3rd Stone Networks
Read more
FortiCloud SSO Zero‑Day: When Identity Becomes the Blast Radius
Identity & Access
Feb 9, 20261 min read

FortiCloud SSO Zero‑Day: When Identity Becomes the Blast Radius

CSO Online reports Fortinet temporarily disabled FortiCloud SSO after a critical zero‑day. Here’s what that means for teams relying on centralized identity, plus practical next steps.

3rd Stone Networks
Read more
3SN Launches Enterprise Partnership Program: Expanding Security Excellence Through Channel Partners
Company Update
Nov 15, 20243 min read

3SN Launches Enterprise Partnership Program: Expanding Security Excellence Through Channel Partners

3SN announces its Enterprise Partnership Program, enabling resellers, MSPs, and technology partners to deliver 3SN security solutions to their customers.

3rd Stone Networks
Read more
View all news