Decipher File · February 21, 2024 ransomware to April 2024 re-extortion through 2025 notification

Change Healthcare Re-Extortion (Apr 2024): Ransom Did Not End the Incident

Following the February 21, 2024 ALPHV/BlackCat ransomware attack on UnitedHealth Group subsidiary Change Healthcare, UHG paid approximately $22 million to the ALPHV ransomware operator in late February 2024. The ALPHV affiliate who carried out the intrusion did not receive a share of the ransom from the operator due to an ALPHV exit scam, retained possession of the exfiltrated patient data, and reposted it for sale in April 2024 via the RansomHub ransomware group. UnitedHealth Group CEO Andrew Witty testified to the House Energy and Commerce Committee on May 1, 2024 and the Senate Finance Committee on the same day, confirming the dual-extortion timeline. Approximately 190 million individuals were ultimately affected per UHG's January 2025 update, making it the largest healthcare data breach in US history.

By·Published May 18, 2026·Last verified May 2026

MITRE ATT&CK techniques

T1078 Valid Accounts T1133 External Remote Services T1486 Data Encrypted for Impact T1567.002 Exfiltration to Cloud Storage T1657 Financial Theft

Incident summary

Change Healthcare, a UnitedHealth Group subsidiary that processes approximately one third of US healthcare claims, was hit by ALPHV/BlackCat ransomware on February 21, 2024. The initial attack timeline and technical details are documented in the separate change-healthcare-ransomware-2024 Decipher File. The April 2024 re-extortion is operationally distinct and warrants its own analysis. In late February 2024, UnitedHealth Group paid approximately $22 million to the ALPHV ransomware operator in exchange for a promise to delete the exfiltrated patient data. The payment was confirmed publicly by UHG CEO Andrew Witty in congressional testimony on May 1, 2024.

The ALPHV operator absconded with the full ransom rather than paying the affiliate who carried out the actual intrusion, an exit-scam pattern that emerged in late February 2024 in dark web forum posts. The ALPHV operator simultaneously announced infrastructure takedown by international law enforcement, though subsequent industry analysis indicated the operator-side takedown announcement was likely a cover story for the exit scam. The affiliate, who retained possession of the exfiltrated Change Healthcare data, was operationally incentivized to monetize the data through a different channel since the affiliate had not been paid through the ALPHV operator's normal revenue split.

In April 2024, the affiliate posted the Change Healthcare data for sale through the RansomHub ransomware-as-a-service operator, the same group later attributed to the August 2024 Halliburton intrusion. RansomHub's leak site featured Change Healthcare data samples and demanded a second ransom payment. UnitedHealth Group did not publicly confirm whether a second ransom was paid. The structural fact, confirmed in Witty's congressional testimony, was that the first $22 million payment did not produce the negotiated outcome of data deletion. The patient data remained in criminal hands and was actively monetized through the RansomHub channel.

Attack technique

The re-extortion technique pattern is operationally distinct from the initial ransomware intrusion. The initial intrusion used Citrix portal exploitation without multifactor authentication for initial access (T1078, T1133), per UHG CEO Witty's May 1, 2024 congressional testimony. Post-compromise, the ALPHV affiliate performed standard ransomware-affiliate activity including reconnaissance, lateral movement, credential harvesting, data exfiltration to attacker-controlled cloud storage (T1567.002), and final ransomware deployment (T1486). That is the standard double-extortion ransomware-as-a-service operational pattern.

What is distinct in the Change Healthcare case is the post-payment timeline. The ransom payment in late February 2024 was made to the ALPHV operator, who is the ransomware-as-a-service brand. The operator runs the infrastructure, the leak site, the negotiations, and the cryptocurrency payment intake. The affiliate is the actor who actually breaks into the victim and performs the encryption and exfiltration work. The standard revenue split is roughly 70 percent to the affiliate and 30 percent to the operator. The ALPHV operator in this case kept the full ransom rather than paying the affiliate their share, an exit-scam pattern that has emerged sporadically across the ransomware-as-a-service criminal market.

The affiliate retained physical possession of the exfiltrated Change Healthcare data. Possession of the data is independent of any agreement between victim and operator. The operator's promise to delete the data, even if good-faith, only affects the operator's copy of the data. The affiliate's separate copy is not affected by an operator-side deletion. This is a structural property of the ransomware-as-a-service architecture that victims and incident response negotiators do not always fully internalize. The Change Healthcare case made the structural property publicly visible.

The affiliate's re-monetization through RansomHub illustrated the broader operator-affiliate market dynamic. Affiliates are mobile across operators. The same actor can carry out intrusions on behalf of LockBit, ALPHV, RansomHub, Akira, BlackBasta, and other operators depending on which offers the best terms at the time. When one operator exits or is disrupted, the affiliates redistribute to other operators. The affiliate behind the Change Healthcare intrusion moved to RansomHub in early 2024 along with other ALPHV-affiliated actors. RansomHub's emergence as a top-tier ransomware-as-a-service operator in 2024 was driven in part by this post-ALPHV affiliate migration.

Impact and consequences

Patient-data scope expanded substantially through 2024 and into 2025. UnitedHealth Group's June 2024 OCR breach notification initially estimated approximately 100 million affected individuals. The July 2024 update revised the estimate. The October 2024 update further revised the figure. UHG's January 2025 OCR update set the affected individual count at approximately 190 million, making the Change Healthcare incident the largest healthcare data breach in US history. The expansion reflected the ongoing forensic work to identify which specific patient records had been in the affected data extracts, not a separate additional intrusion event.

The dual-extortion timeline produced a separate set of consequences beyond the patient-data scope. The fact that UHG paid $22 million and still had the data leaked through RansomHub became a reference case in the industry-wide ransom-payment policy debate. Public-policy debate through 2024 over whether ransom payment should be restricted by federal regulation cited the Change Healthcare case directly. The argument that paying ransoms does not reliably produce the negotiated outcome was operationally demonstrated, beyond theoretical concerns. The argument that not paying produces worse outcomes for victims is also valid, but the Change Healthcare case complicated the cost-benefit case for payment.

Provider-side financial impact extended through 2024 and into 2025. Change Healthcare's pharmacy and claims processing systems were unavailable to providers for weeks, with partial restoration through March and April 2024 and ongoing service degradation through mid-2024. UHG provided approximately $9 billion in advance payments and loans to affected providers per Witty's congressional testimony, with repayment terms structured over an extended period. Provider-side cash flow impact during the downtime was severe for smaller pharmacy and physician practice operations that depend on Change Healthcare claims processing for revenue cycle operations.

Regulatory consequence was extensive. HHS Office for Civil Rights opened a HIPAA enforcement investigation. State attorneys general opened parallel investigations. Class action litigation was filed in the weeks following the breach disclosure and consolidated into multidistrict litigation. UHG's UnitedHealthcare insurance operations faced separate state insurance regulator scrutiny. Congressional oversight extended beyond the May 2024 testimony into ongoing committee work through 2024 and 2025. The Change Healthcare incident became the reference case in the FY2025 Office of the National Cyber Director priorities on healthcare-sector cybersecurity baseline-raising.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

› ALPHV/BlackCat affiliate initial access via Citrix portal without multifactor authentication, per UHG CEO Andrew Witty's May 1, 2024 congressional testimony
› ALPHV operator exit-scam pattern in late February 2024 disclosed via dark web forum posts that retained logs after operator infrastructure takedown
› RansomHub leak-site posting in April 2024 reposting Change Healthcare data previously believed deleted per the ALPHV ransom payment
› UnitedHealth Group $22 million ransom payment confirmed in Witty's May 1, 2024 testimony before House and Senate committees
› Patient data including names, addresses, dates of birth, Social Security numbers, medical and treatment information, and payment data confirmed in HHS OCR breach notification
› Approximately 190 million ultimately affected individuals per UHG's January 2025 OCR update, making this the largest US healthcare data breach to date

Lessons for defenders

Ransom payment does not guarantee data deletion, and the structural reason is the ransomware-as-a-service affiliate architecture. The operator can promise to delete the operator's copy of the data, but the affiliate's separate copy is not affected by an operator-side deletion. Build this fact into the ransom payment decision framework: payment can produce decryption keys reliably (when the operator delivers on the technical promise), and payment can produce operator-side deletion verification (when the operator delivers on the operational promise), but payment cannot reliably produce affiliate-side data deletion. Plan customer notification, regulatory disclosure, and downstream identity-monitoring as if the data will remain in criminal hands regardless of payment decision.

Affiliate-operator separation matters in negotiation strategy. Ransom negotiations with ransomware-as-a-service operators are with the operator brand, not with the affiliate who carried out the intrusion. The affiliate may have separate operational incentives, separate possession of the exfiltrated data, and separate willingness to honor or violate the operator's negotiated commitments. Incident response negotiators should understand the affiliate-operator dynamics of the specific RaaS brand involved, and the public exit-scam history of operators including ALPHV, Conti, LockBit, and others. Mandiant, Recorded Future, and CrowdStrike publish detailed brand-by-brand operator and affiliate analysis.

Patient-data scope expansion through forensic review is the normal pattern, not the exception. Change Healthcare's affected individual count expanded from approximately 100 million in June 2024 to approximately 190 million in January 2025. The expansion is forensic, not from additional intrusion events. Plan customer notification timing and regulatory disclosure cadence with the expectation that the affected individual count will expand as forensic review progresses. Multiple notification waves and clear customer-side communication about why the count is expanding reduces customer trust friction relative to single delayed notification.

Multifactor authentication on every public-facing identity surface is a structural control with measurable impact. The initial access vector at Change Healthcare was a Citrix portal without multifactor authentication. The same structural vulnerability has been present in multiple major 2024 incidents including the Snowflake customer breaches and the AT&T metadata exposure. Audit every public-facing identity surface in your environment for MFA enforcement: VPN portals, Citrix and other remote desktop gateways, OWA and other email web access, SaaS administrator consoles, and equivalent surfaces. MFA enforcement at the identity-provider level rather than at individual surfaces is the structural control.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

Related Decipher Files

Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →

Frequently asked questions

What was the Change Healthcare re-extortion in April 2024?

After UnitedHealth Group paid approximately $22 million to the ALPHV ransomware operator in late February 2024 in exchange for a promise to delete exfiltrated patient data, the ALPHV affiliate who actually carried out the intrusion did not receive a share of the ransom from the operator due to an ALPHV exit scam. The affiliate retained possession of the exfiltrated data and reposted it for sale in April 2024 through the RansomHub ransomware-as-a-service group. The first $22 million payment did not produce the negotiated outcome of data deletion, as confirmed by UHG CEO Andrew Witty in his May 1, 2024 congressional testimony.

Why did paying the ransom not work for Change Healthcare?

The ransomware-as-a-service architecture has a structural separation between the operator (the brand running the infrastructure, leak site, and negotiations) and the affiliate (the actor who actually broke into the victim and exfiltrated data). The ALPHV operator kept the full $22 million ransom rather than paying the affiliate their typical 70 percent share, an exit-scam pattern. The affiliate retained physical possession of the exfiltrated data and was operationally incentivized to monetize it through a different channel since the affiliate had not been paid. The operator's promise to delete the data only affected the operator's copy, not the affiliate's separate copy.

How many people were affected by the Change Healthcare breach?

Per UnitedHealth Group's January 2025 HHS Office for Civil Rights update, approximately 190 million individuals were affected, making the Change Healthcare incident the largest healthcare data breach in US history. The affected individual count expanded substantially through 2024 and into 2025 as forensic review identified which specific patient records had been in the affected data extracts. The June 2024 OCR notification initially estimated approximately 100 million, with subsequent revisions reaching the 190 million figure.

Did UnitedHealth Group pay a second ransom?

UnitedHealth Group has not publicly confirmed whether a second ransom was paid to RansomHub following the April 2024 re-extortion attempt. UHG CEO Andrew Witty's May 1, 2024 congressional testimony confirmed the first $22 million payment to the ALPHV operator in February 2024 but did not address the RansomHub second-ransom question directly. The structural fact, regardless of any second payment, is that the patient data remained in criminal hands and was actively monetized through the RansomHub channel.

What is the ransomware-as-a-service operator-affiliate separation?

Ransomware-as-a-service operations have a structural separation between the operator (the brand running the infrastructure, leak site, victim negotiations, and cryptocurrency payment intake) and the affiliate (the actor who actually breaks into victims and performs encryption and exfiltration). The standard revenue split is roughly 70 percent to the affiliate and 30 percent to the operator. The separation is structural and matters for ransom payment outcomes because the operator can only deliver on operator-side promises, not affiliate-side promises. The Change Healthcare case made this property publicly visible.

Who is RansomHub and how did they get Change Healthcare data?

RansomHub is a ransomware-as-a-service operator that emerged as a top-tier brand in 2024, driven in part by post-ALPHV affiliate migration after the ALPHV operator's late-February 2024 exit scam. The Change Healthcare data appeared on RansomHub's leak site in April 2024 because the affiliate who originally exfiltrated the data from Change Healthcare, having not been paid by ALPHV, moved to RansomHub and brought the data with them. The same RansomHub group was later attributed to the August 2024 Halliburton intrusion and multiple other 2024 ransomware incidents.

What can other organizations learn from the Change Healthcare re-extortion?

Ransom payment does not guarantee data deletion because the operator's promise only affects the operator's copy, not the affiliate's separate copy. Plan customer notification and downstream identity-monitoring as if the data will remain in criminal hands regardless of payment decision. Affiliate-operator dynamics matter in negotiation strategy. Patient-data scope expansion through forensic review is the normal pattern, and notification timing should account for multiple waves. Multifactor authentication on every public-facing identity surface is a structural control with measurable impact, as the absence of MFA on the Change Healthcare Citrix portal was the initial access vector.

Sources

UnitedHealth Group CEO Andrew Witty Testimony to House Energy and Commerce Committee · May 1, 2024 testimony confirming the dual-extortion timeline and $22 million ransom payment
UnitedHealth Group CEO Andrew Witty Testimony to Senate Finance Committee · May 1, 2024 Senate testimony covering the same dual-extortion timeline
UnitedHealth Group Change Healthcare Cyber Response Updates · UHG's chronological public statements on the Change Healthcare cybersecurity event
HHS Office for Civil Rights Breach Notification for Change Healthcare · HHS OCR breach disclosure with affected individual count expanding through 2024 and 2025
Wall Street Journal: UnitedHealth Paid Ransomware Group $22 Million · WSJ reporting on the ransom payment and the subsequent RansomHub re-extortion
Bloomberg: RansomHub Posts Change Healthcare Data Despite Ransom Payment · Bloomberg reporting on RansomHub's April 2024 leak-site posting of the Change Healthcare data
Department of Health and Human Services Statement on Change Healthcare · HHS public statement on the federal response coordination and provider relief options

DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.

Last verified: 2026-05-18?Report an inaccuracy

This role lives inside a packaged path

Want the curriculum, comp delta, and recommended courses for this role?

DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:

Take the 2-min Risk Score →Open the cybersecurity path hub →

Where to go next

Three next steps depending on where you are. The first two are free.

Free · 2 minutes

Start with the AI Risk Score

Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.

Start the AI Risk Score →

Paid program · $147-$597

Aligned course: SOC Analyst Fundamentals

Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.

View the course →

Free account

Save your results and track progress

A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.

Create your account →

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.