Change Healthcare ALPHV: When One Citrix Portal Took Down US Pharmacy Claims

Incident summary

Change Healthcare is a UnitedHealth Group subsidiary that processes claims, eligibility checks, and prior authorizations for a substantial share of US pharmacies and providers. UnitedHealth disclosed in a February 22, 2024 SEC 8-K filing that a suspected nation-state-associated cybersecurity threat actor had gained access to Change Healthcare information technology systems.

UnitedHealth Group CEO Andrew Witty testified before the House Energy and Commerce Subcommittee on May 1, 2024 that the threat actor entered through a Citrix remote access portal that did not have multifactor authentication enabled. The credentials in use were not protected by MFA. The actor moved laterally for nine days before deploying the ALPHV/BlackCat ransomware on February 21, 2024.

UnitedHealth confirmed in the same testimony that it paid approximately $22 million in Bitcoin to the attacker. The HHS Office for Civil Rights breach notification posted in October 2024 covered approximately 100 million individuals, making it the largest healthcare data breach by individuals affected in US history at the time of disclosure.

Attack technique

MITRE ATT&CK maps initial access to T1133 (External Remote Services) for the unauthenticated Citrix portal and T1078 (Valid Accounts) for credential reuse. Post-access activity matches the ALPHV/BlackCat playbook described in CISA AA23-353A: enumeration of Active Directory, lateral movement using stolen credentials, and staging of files for double extortion before encryption.

The actor exfiltrated approximately 6 TB of data per Witty's congressional testimony, including protected health information, claims data, and personal identifiers. The data covered an estimated one-third of US patients per the HHS OCR notification published in October 2024 covering 100 million individuals.

After UnitedHealth paid $22 million on or around March 1, 2024, ALPHV's leadership conducted what Krebs on Security and ransomware researcher vx-underground both characterized as an exit scam. ALPHV disappeared with the ransom rather than paying its affiliate. The affiliate then published Change Healthcare data extortion under the RansomHub brand in April 2024, demonstrating that paying a RaaS group does not guarantee data deletion.

Impact and consequences

Pharmacy claims processing across the US partially failed for approximately three weeks. Per American Hospital Association reporting, smaller pharmacies and rural providers reported the most acute disruption, with some forced to require cash payment for prescriptions during the outage. UnitedHealth issued more than $9 billion in advance funding to providers to bridge cash flow.

UnitedHealth disclosed in its Q3 2024 earnings that total incident-related costs reached approximately $2.87 billion year-to-date including direct response, advance funding to providers, and claims processing remediation. UnitedHealth's full-year 2024 cost estimate, reported in its January 2025 earnings, was approximately $3.1 billion.

Senate HELP Committee Chair Bernie Sanders requested HHS Secretary Becerra accelerate cybersecurity rules for HIPAA-covered entities. HHS published proposed updates to the HIPAA Security Rule on December 27, 2024, the first substantive update since 2013, mandating MFA, encryption at rest and in transit, and asset inventories for covered entities and business associates. The Change Healthcare incident was named in the rulemaking justification.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

Lessons for defenders

MFA on every internet-exposed remote access path is the floor, not the ceiling. The Change Healthcare incident is the highest-impact reminder of the Colonial Pipeline pattern: a single remote access portal without MFA cost a Fortune 5 subsidiary $22 million in ransom, $3 billion in remediation, and weeks of US healthcare disruption.

Acquired infrastructure inherits acquired risk. Change Healthcare became part of UnitedHealth through the 2022 Optum Insight acquisition. Citrix portal hardening and MFA rollout that had been completed in core UnitedHealth systems had not yet been completed in the acquired environment. Acquisition cybersecurity due diligence and time-bound integration runbooks address this gap.

Paying ransom does not guarantee data deletion in a RaaS economy. The ALPHV exit scam against its affiliate left Change Healthcare data on the affiliate's hands, leading to a second extortion under the RansomHub brand. Decision frameworks should weight RaaS exit-scam precedent rather than treating payment as a probabilistic data-deletion guarantee.

Healthcare-specific tabletop exercises must include claims-processing failure modes. The downstream impact was on cash flow for thousands of providers, not on UnitedHealth corporate operations. Healthcare BC/DR planning that focuses on EHR uptime can miss the claims-clearinghouse single-point-of-failure that the Change Healthcare incident exposed.

HIPAA-covered entity controls are now codified. The proposed December 2024 HIPAA Security Rule update mandates MFA, encryption, asset inventories, and incident response testing. Healthcare organizations should align controls to the proposed rule rather than waiting for finalization, since enforcement is unlikely to roll back.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

• /cybersecurity/careers/incident-responder
• /cybersecurity/careers/soc-analyst
• /cybersecurity/careers/grc-analyst

Related Decipher Files

• MGM Resorts Scattered Spider: Social Engineering as a Weapons Platform
• Colonial Pipeline DarkSide: When OT Met Ransomware-as-a-Service

Frequently asked questions