← The Five Quadrants of Risk

Risk register · entry

Q3 · Engineered

Change Healthcare ransomware

One server without MFA froze billing for half of US healthcare.

Tightly coupled systems where one small fault cascades and takes down the whole machine.

Room
Q3 Engineered
Year
2024
Impact
190M records
Sector
Healthcare IT
Region
N. America
Category
Technological

Why this room

The trigger was a single low-complexity technical gap, no MFA on one remote-access account, so the payoff structure started simple and mechanical, textbook Q3 Engineered; the tail only turned fat and fraud-shaped once a double-crossed affiliate and a second gang added deliberate deception and repeat extortion on top of the original systems failure.

The record

  • Initial intrusion date: February 12, 2024, via a Citrix portal without MFAcertain
  • Breach detected / network shut down: February 21, 2024certain
  • Ransom paid: approximately $22 million, March 3, 2024certain
  • RansomHub second extortion attempt: April 15, 2024likely
  • Individuals notified: ~100 million (Oct 2024) growing to ~190 million (Jan 2025) and ~192.7 million (Jul 2025)certain
  • Total 2024 UnitedHealth cost from the attack: approximately $2.87 billionlikely
  • Attackers attributed to ALPHV/BlackCat, later RansomHubcertain
  • Comparison: prior largest healthcare breach, Anthem 2015, 78.8 million recordscertain

Sources

  1. Source
  2. Source
  3. Source
  4. Source

The book

This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.

Join the waiting list