Risk register · entry
Q3 · EngineeredChange Healthcare ransomware
One server without MFA froze billing for half of US healthcare.
Tightly coupled systems where one small fault cascades and takes down the whole machine.
Why this room
The trigger was a single low-complexity technical gap, no MFA on one remote-access account, so the payoff structure started simple and mechanical, textbook Q3 Engineered; the tail only turned fat and fraud-shaped once a double-crossed affiliate and a second gang added deliberate deception and repeat extortion on top of the original systems failure.
The record
- Initial intrusion date: February 12, 2024, via a Citrix portal without MFAcertain
- Breach detected / network shut down: February 21, 2024certain
- Ransom paid: approximately $22 million, March 3, 2024certain
- RansomHub second extortion attempt: April 15, 2024likely
- Individuals notified: ~100 million (Oct 2024) growing to ~190 million (Jan 2025) and ~192.7 million (Jul 2025)certain
- Total 2024 UnitedHealth cost from the attack: approximately $2.87 billionlikely
- Attackers attributed to ALPHV/BlackCat, later RansomHubcertain
- Comparison: prior largest healthcare breach, Anthem 2015, 78.8 million recordscertain
Sources
The book
This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.
Join the waiting list