By Ryan Windt | Head of Growth Marketing | Updated April 2026
In February 2024, attackers affiliated with the ALPHV/BlackCat ransomware group accessed a single Citrix remote access portal at Change Healthcare. The portal had no multi-factor authentication. Nine days later, they deployed ransomware.
What followed was the largest cyber event in U.S. healthcare history.
Change Healthcare processes roughly 15 billion transactions annually, handling claims, prescriptions, prior authorizations, and payment processing for providers across the country. When the company took its systems offline to contain the attack, the disruption cascaded immediately across the entire healthcare system. Pharmacies could not process prescriptions. Hospitals could not verify patient eligibility. Physician practices could not submit claims. The American Hospital Association estimated that some larger health systems were losing more than $100 million per day.
The final damage to UnitedHealth Group, Change’s parent company, reached $2.457 billion in total cyberattack costs through Q3 2024 alone. The breach exposed the personal and health records of an estimated 190 million Americans. A $22 million ransom was paid to ALPHV/BlackCat. And then a second ransomware group claimed to have the stolen data and demanded another payment.
This is not a cautionary tale about an unsophisticated company with no security resources. UnitedHealth Group is one of the largest companies in the world by revenue. It has dedicated security teams, enterprise security infrastructure, and written policies requiring MFA on all external-facing systems. One portal slipped through. That was enough.
The lessons for every other healthcare organization, and for every business that depends on a third-party healthcare platform, are significant. This post breaks down what happened, why the financial damage was so severe, and what cyber insurance does and does not cover in a scenario like this.
What Happened at Change Healthcare
The attack began on February 12, 2024, when ALPHV/BlackCat affiliates accessed Change Healthcare’s network through a Citrix remote access portal using compromised credentials. That portal was not protected by MFA, despite UnitedHealth’s stated policy requiring it on all external-facing systems.
The attackers spent nine days inside the environment before deploying ransomware on February 21. During that window, they moved laterally through systems and exfiltrated an estimated 6 terabytes of data. When Change Healthcare detected the ransomware and took its systems offline, the disruption was immediate and nationwide.
UnitedHealth CEO Andrew Witty confirmed in congressional testimony that the missing MFA was the vulnerability that allowed the attack to succeed. He also disclosed that the company’s backups were not properly segmented from the primary network, so the ransomware encrypted those as well. Recovery required a complete rebuild of Change Healthcare’s platform from scratch.
The ransom decision, Witty testified, was his alone to make. UnitedHealth paid $22 million to ALPHV/BlackCat in early March 2024. The money went sideways almost immediately: the ransomware affiliate who had conducted the attack alleged the gang kept the full payment without sharing their cut. A second group, RansomHub, subsequently claimed to have the stolen data and threatened to publish it unless an additional payment was made.
Victim notification began in June 2024 and continued through the end of the year. Sorting through terabytes of stolen files to identify exactly whose data was exposed took months. The breach was initially reported to HHS as affecting more than 500 individuals. That estimate was eventually revised to 100 million, and then to 190 million, making it by far the largest breach of protected health information ever reported under HIPAA.
Why the Downstream Damage Was So Severe
Change Healthcare’s position in the U.S. healthcare system is nearly singular. The company processes roughly one-third of all patient records in the country and handles transactions for more than 900,000 physicians, 33,000 pharmacies, and 5,500 hospitals.
When Change took its systems offline, it did not just disrupt its own operations. It effectively severed the payment and claims processing infrastructure for a significant portion of the healthcare industry simultaneously.
An AMA survey conducted in April 2024 captured the scope of the downstream impact: 80 percent of physician practices reported losing revenue from unpaid claims, and 60 percent faced challenges verifying patient eligibility. Smaller practices and rural hospitals were hit hardest. Some reported having to furlough staff or use personal funds to cover payroll while claims sat in limbo.
To stabilize the situation, UnitedHealth advanced more than $9 billion in emergency loans to healthcare providers facing cash flow crises. The repayment process extended for months.
This is what a systemic third-party dependency failure looks like in practice. The affected providers did not experience a breach of their own systems. They did not make any security mistakes. But they suffered real, material financial losses because a vendor they depended on was taken offline.
What This Means for Cyber Insurance
The Change Healthcare breach raises specific and important questions for every healthcare organization’s insurance program. The answers depend heavily on how your policy is written.
Business interruption: did your policy cover the downtime?
For the healthcare providers who lost revenue during the outage, the core coverage question was whether their cyber insurance policy covered business interruption losses caused by a third-party vendor’s incident.
Standard cyber policies typically cover business interruption when your own systems are unavailable due to a covered cyber event. If your systems were fine but a vendor’s were not, whether your policy responds depends on whether it includes contingent or dependent business interruption coverage.
This coverage extends business interruption protection to losses caused by a cyber incident at a third party you depend on. It exists in the market, but it is not included in all policies, is frequently sublimited, and sometimes requires that the specific vendor be named in the policy. Healthcare organizations that did not have this coverage, or had it only at a low sublimit, were not protected against exactly the kind of loss the Change Healthcare outage caused.
If your policy does not include contingent business interruption coverage, or if the sublimit is substantially lower than your daily revenue, that is a gap worth addressing at renewal.
Ransomware coverage: the double extortion problem
UnitedHealth paid one ransom and then faced a second extortion demand from a different group claiming to have the same data. This is called double extortion or secondary extortion, and it is increasingly common in high-value ransomware events.
Most cyber insurance policies cover ransom payments made with carrier consent and coordination. But the second extortion demand from RansomHub created a more complicated question: was the stolen data actually in their possession, and if a payment was made to them, would that be covered under the original policy?
Policy language varies on how secondary extortion demands are handled. Some policies cover multiple extortion events arising from the same incident. Others may treat a demand from a separate group as a distinct event subject to a separate deductible or sublimit. This is worth reviewing with your broker before you are in a situation where it matters.
For a full breakdown of how ransomware coverage works and what policies actually pay, see our guide to ransomware and cyber insurance coverage.
Data breach notification: 190 million records
Change Healthcare’s notification obligation grew from 500 reported individuals to 190 million over the course of 2024. The cost of identifying, notifying, and providing credit monitoring for that many affected individuals was substantial.
For covered entities and business associates handling PHI, the breach notification costs associated with a large-scale event like this are a core cyber insurance recovery item. Forensic review costs, legal counsel to manage HIPAA notification obligations, notification vendor costs, call center support, and credit monitoring enrollment are all components of a well-structured first-party breach response coverage.
If your breach response sublimits are set below your realistic exposure, a mass notification event can quickly exhaust them.
Regulatory exposure: HHS investigations and state actions
The Nebraska Attorney General filed the first state enforcement action related to the Change Healthcare breach. Federal litigation consolidated into multi-district proceedings with more than 49 combined cases. HHS OCR investigations remained active well into 2025.
Regulatory defense costs and civil monetary penalty coverage are components many healthcare organizations do not think carefully about until they receive an inquiry letter. Under a well-structured cyber policy, both legal defense costs and covered penalties are included. The scope of what penalties are covered, and how much, varies by carrier and policy form.
For context on the overall regulatory exposure landscape, including how HIPAA fines interact with cyber insurance, see Cyber Insurance for Healthcare: What HIPAA Doesn’t Cover.
The Security Failures That Made It Possible
Change Healthcare’s breach was not the result of a sophisticated zero-day exploit. The attack succeeded because of failures in basic security hygiene that cyber underwriters now evaluate as minimum requirements for coverage.
No MFA on a critical external access point. The entire attack originated from a single Citrix portal that lacked multi-factor authentication. This is the most commonly cited underwriting requirement in the market. Carriers routinely decline applications, apply exclusions, or charge significantly higher premiums for organizations that cannot confirm MFA is enabled on all remote access and email systems.
Backups were not segmented. Because Change’s backups were not isolated from the primary network, the ransomware encrypted them along with everything else. Recovery required a complete rebuild from scratch. Segmented, offline, or immutable backups are a standard underwriting control requirement. Their absence materially extended the outage and the financial damage.
Compromised credentials were not detected. The attackers likely obtained the Citrix credentials through an initial access broker before the attack. Credential monitoring for leaked employee credentials appearing on dark web markets could have flagged the compromised account before it was used.
Lateral movement went undetected for nine days. Once inside, the attackers had nearly two weeks to move through systems and exfiltrate data before deploying ransomware. Effective endpoint detection and response tools, combined with network segmentation, are designed to limit exactly this kind of dwell time.
For a detailed breakdown of the controls that underwriters require and how to document them, see the Cyber Insurance Requirements Checklist for SMBs and MSPs.
What Healthcare Organizations Should Do Now
The Change Healthcare breach is not a story about a uniquely vulnerable company. It is a story about what happens when a critical infrastructure provider fails at foundational security hygiene, and how far the blast radius extends when it does.
For healthcare providers, vendors, and business associates reviewing their own exposure, a few action items follow directly from what happened.
Audit your contingent business interruption coverage. If your operations depend on a clearinghouse, EHR platform, billing processor, or any other shared service, you need to know whether your policy covers revenue losses when that vendor goes offline. Find the specific provision and compare the sublimit to your actual daily revenue exposure from a multi-week outage. If there is a significant gap, address it at renewal.
Verify your MFA coverage is complete. Not just on some systems. Every external-facing portal, every remote access point, every email system. The Change Healthcare CEO told Congress that his company had a policy requiring MFA on all external systems. One portal was missed. Make sure you can document that yours are not.
Confirm your backups are actually isolated. Backups that are connected to the same network they are backing up can be encrypted in a ransomware event. Segmented, offline, or immutable backups that are tested regularly are the difference between a recovery measured in days and a rebuild measured in months.
Know your breach notification exposure. If your organization handles PHI for a large patient population, understand what patient notification at scale actually costs and verify that your policy limits are calibrated accordingly.
Review your vendor dependency risk. Change Healthcare’s position as a near-monopoly processor created systemic exposure that individual providers could not have fully anticipated. For critical vendor dependencies in your own operations, understand what your policy covers if that vendor experiences a cyber event, and push for contingent business interruption coverage that does not require vendors to be named in advance.
The Broader Lesson
The Change Healthcare breach confirmed something the insurance market had already been pricing in for years: healthcare is the highest-risk sector in cybercrime, and the financial exposure from a single event can be existential for organizations that are not properly protected.
It also demonstrated that cyber risk in healthcare is not just about your own systems. The providers who suffered months of cash flow disruption did nothing wrong. They had no breach. They had no security failures. They were downstream victims of a shared infrastructure failure that no amount of internal security investment could have prevented.
That is exactly the kind of risk that cyber insurance is designed to address. The question is whether your policy is written to cover the losses you actually face, at limits that reflect your actual exposure, with the contingent coverage provisions that protect you when the breach happens somewhere else.
If you are not certain, that is worth knowing before the next Change Healthcare.