Change Healthcare ransomware disrupts services

Healthcare billing sounds back-office and boring — until it stops. That is what happened when ransomware hit Change Healthcare, the claims and payments giant inside UnitedHealth’s Optum business, on February 21, 2024. The attack did not just lock up one company’s computers. It jammed the pipes that move prescriptions, claims, prior authorizations, and provider payments across the U.S. health system. The reason this story still matters is simple: it exposed how a single chokepoint can turn a cyberattack into a national care and cash-flow crisis. (sec.gov) ### What is Change Healthcare, exactly? Change Healthcare is one of those companies most patients never notice but a huge share of the system quietly depends on. It acts like plumbing for healthcare administration — routing claims, eligibility checks, payment files, and pharmacy transactions between doctors, hospitals, pharmacies, insurers, and government programs. Tha(sec.gov)ear, and industry groups told Congress it touched one in three patient records in the U.S. (mgma.com) ### What happened on February 21, 2024? UnitedHealth disclosed in an SEC filing that it found a cyber threat actor inside some Change Healthcare systems on February 21, 2024. The company immediately isolated affected systems from the rest of the network. That containment step probably limited spread, but it also took core servi(mgma.com)worse. (sec.gov) ### Why did outages spread so widely? Because Change sat in the middle of too many critical transactions. If a hospital cannot submit claims, cash stops coming in. If a pharmacy cannot process certain transactions, prescriptions get delayed or rerouted. If insurers and providers cannot exchange data normally, staff fall back to manual workarounds that are slower, messier, and more error-prone. One broken hub became thousands of broken workflows. (cnbc.com) ### Why were providers so alarmed? Revenue cycle is not abstract for clinics and hospitals — it is payroll, supplies, and keeping the lights on. Providers told lawmakers the outage caused unprecedented disruption, and hospital groups said the financial shock was broad. In one survey cited during the fallout, 94% of hospitals reported financial (cnbc.com)e stuck. (cnbc.com) ### What did UnitedHealth do to keep things moving? UnitedHealth started advancing funds to affected providers while systems were being restored. By late March 2024, it said those advances had topped $3.3 billion. By the May 1 Senate Finance hearing, CEO Andrew Witty said support had risen to more than $6.5 billion, with a meaningful share goin(cnbc.com)was not normal outage management. (cnbc.com) ### Was this also a data breach? Yes — and a massive one. HHS said the cyberattack had an unprecedented impact on patient care and privacy, and OCR opened prioritized investigations into Change Healthcare and UnitedHealth. HHS later noted that Change told regulators in January 2025 that about 190 million individuals were impacted. Later reporti(cnbc.com).S. (hhs.gov) ### What was the security failure people focused on? The detail that stuck was multifactor authentication. At the Senate hearing, Witty confirmed the portal used by the attackers was not protected by MFA. That does not explain every step of the intrusion, but it became the symbol of the whole event: an enormous, sy(hhs.gov)of “small miss, huge blast radius.” (essentialhospitals.org) ### So what is the real lesson? The bottom line is that this was not just a ransomware story. It was a concentration-risk story. Healthcare had allowed too much operational dependency to pile up in one intermediary, so one compromise became a nationwide business interruption event with patient-care consequences. That is why boards, regu(essentialhospitals.org)inseparable from basic system resilience. (hhs.gov)