Change Healthcare
A ransomware crew hit the clearinghouse that processes a third of US medical claims. Pharmacies, hospitals, and patients spent months in the resulting blackout.
In February 2024, a ransomware crew calling itself ALPHV / BlackCat encrypted the systems of Change Healthcare, a UnitedHealth subsidiary that sits at the center of US medical billing. Roughly one in three medical claims filed in the country passes through Change. When Change went down, a non-trivial fraction of American healthcare went into manual mode.
The pharmacy-counter consequences
For weeks, independent pharmacies could not process insurance claims and either advanced patients medicine on credit or turned them away. Small practices ran out of cash because they had no way to bill payers. Hospitals delayed elective procedures. The American Medical Association and the American Hospital Association sent open letters to the federal government asking for emergency financial backstops.
The intrusion itself was not technically novel. ALPHV / BlackCat had used a set of credentials for a remote-access service that lacked multi-factor authentication. The atypical part was the blast radius. A boring back-office function, when sufficiently consolidated, becomes a national choke point.
A payment, a double-cross, and a second extortion
UnitedHealth reportedly paid roughly twenty-two million dollars in Bitcoin. ALPHV's leadership appears to have then exit-scammed the affiliate who actually executed the breach, walking off with the ransom and leaving the affiliate with the still-unpublished data. The affiliate re-listed the data for sale under a separate brand, RansomHub, triggering a second extortion round.
What the chronicle remembers
Change Healthcare is what concentration risk looks like in the medical supply chain. It also exposed the limits of "we paid the ransom" as a closure event: in the modern affiliate model, paying one entity does not necessarily buy you silence from the next.