**The Ransomware Attack on Change Healthcare: A Timeline of Events**
**February 21, 2024: First Report of Outages as Security Incident Emerges**
On February 21, 2024, the healthcare sector in the United States experienced widespread outages as the billing systems at doctors’ offices and healthcare practices suddenly stopped working. Change Healthcare, a health tech company owned by UnitedHealth, confirmed that it was facing a network interruption due to a cybersecurity issue. It was later revealed that hackers had breached the company’s systems a week earlier, on or around February 12.
**February 29, 2024: UnitedHealth Confirms Ransomware Gang**
UnitedHealth initially attributed the intrusion to a government or nation-state, but on February 29, they confirmed that the cyberattack was the work of a ransomware gang known as ALPHV/BlackCat. This Russian-speaking gang specializes in ransomware-as-a-service, where affiliates break into victim networks and deploy malware developed by the gang’s leaders. The gang claimed responsibility for stealing millions of Americans’ sensitive health and patient information.
**March 3-5, 2024: UnitedHealth Pays $22 Million Ransom**
In early March, UnitedHealth paid a ransom of $22 million to the hackers, who then disappeared. The ALPHV gang’s leak site on the dark web was replaced with a seizure notice, but it was suspected that they had run off with the ransom, pulling an “exit scam.” The stolen data remained with the hackers despite the payment.
**March 13, 2024: Widespread Disruption and Lack of Information**
The cyberattack caused ongoing outages, leading to disruptions in the U.S. healthcare sector. Many individuals faced difficulties getting their prescriptions filled, and military health insurance provider TriCare reported that all military pharmacies worldwide were affected. The American Medical Association criticized UnitedHealth and Change Healthcare for providing little information about the outages, further exacerbating the disruption.
**March 28, 2024: U.S. Government Increases Bounty for Gang’s Capture**
In an effort to bring the ALPHV/BlackCat gang to justice, the U.S. government raised its bounty to $10 million for information leading to the capture of the gang’s key leadership. This increase in reward indicated the government’s recognition of the potential harm caused by the exposure of Americans’ health information.
**April 15, 2024: Contractor Forms New Ransom Gang**
A disgruntled affiliate of the ALPHV gang established a new ransom gang called RansomHub. With access to the stolen data, RansomHub demanded a second ransom from UnitedHealth, threatening to publish private and sensitive patient records as proof of their threat. This “double extortion” tactic is commonly employed by ransomware gangs to maximize their profits.
**April 22, 2024: UnitedHealth Confirms Data Breach**
UnitedHealth finally confirmed that a data breach had occurred, likely affecting a substantial proportion of people in America. The stolen data included highly sensitive medical records, health information, diagnoses, medications, test results, and personal information. Given that Change Healthcare handles data on about one-third of the U.S. population, it is estimated that over 100 million people were affected.
**May 1, 2024: CEO Testifies on Lack of Basic Cybersecurity**
UnitedHealth Group’s CEO, Andrew Witty, testified before lawmakers, acknowledging that the hackers exploited a single set password on a user account that lacked multi-factor authentication. This basic security feature could have prevented the breach. Witty emphasized that the breach would likely impact about one-third of the U.S. population, in line with the number of people whose healthcare claims Change Healthcare processes.
**June 20, 2024: Notification Process Begins**
Change Healthcare started notifying affected individuals on June 20, although the process was delayed due to the sheer size of the stolen dataset. The company admitted that it could not confirm the exact data stolen about each individual, as it varied from person to person. The U.S. Department of Health and Human Services stepped in to assist affected healthcare providers in notifying their patients, lessening the burden on smaller providers.
**July 29, 2024: Letters Sent to Affected Individuals**
In late July, Change Healthcare began sending letters to the known individuals whose healthcare data was stolen. The letters confirmed the types of data that were compromised, including medical data, health insurance information, and claims and payment information, which included financial and banking details.
The ransomware attack on Change Healthcare and subsequent data breach had significant consequences for the U.S. healthcare sector and millions of individuals. The incident highlighted the importance of robust cybersecurity measures and the need for proactive strategies to mitigate the risks posed by ransomware gangs. It also emphasized the potential harm caused by the exposure of sensitive health information and the challenges faced by affected individuals and healthcare providers.