2025 - Notable Breaches and Hacks Part 2

Ransom, Records, and Recovery: The UnitedHealth/Change Healthcare Cyberattack

The 2024–25 UnitedHealth / Change Healthcare ransomware attack became the largest U.S. healthcare data breach in history. Threat actors were successful in disrupting claims processing and exposing nearly half the country’s medical records. Understanding who was hit, how the attack worked, and its downstream effects is essential for patients, providers, and policymakers. it is critical for cybersecurity professionals to analyze the tactics, techniques, and procedures used in this breach to strengthen defenses, anticipate evolving threats, and protect the integrity of healthcare systems. This incident highlights the need for proactive monitoring, rapid incident response, and resilient infrastructure to safeguard sensitive data against increasingly sophisticated adversaries.

Overview and Timeline

In February 2024 a ransomware group known as ALPHV, commonly known as BlackCat;infiltrated Change Healthcare, a UnitedHealth Group claims‑processing subsidiary. The infiltration lead began triggering a cascade of outages that left health care providers unable to submit or receive claims and halted many administrative systems. The incident evolved into a massive data exfiltration and extortion campaign that continued to unfold through 2024 and into 2025, with reporting and analysis documenting both operational disruption and a growing tally of exposed records.

ALPHV/BlackCat is known for operating a Ransomware‑as‑a‑Service (RaaS) network. Know for hiring others to gain initial accessand execute intrusions. Their core team of operators manufacture and provide the ransomware, infrastructure, and leak site. The group is known for combining encryption and large‑scale data exfiltration and extortion maximizing leverage against the target victims.

Scale and Data Exposed

This attack quickly became the largest attack in U.S. history with Change healthcare’s estimate of 192.7 million impacted individuals. Data stolen by ALPHV included both sensitive personal and medical information. The data stolen could easily be weaponized helping to fuel identity theft, medical fraud, and targeted phishing campaigns.

The Demand

It was reported that United Health had multiple criminal orgnizations demanding payment to include both BlackCat/ALPHV and RansomHub only leading to complications with payment and negotiations. According to Andrew Witty, CEO of UnitedHealth Group, the company paid an impressive $22 million USD in order to secure decryption keys and enable the restoratino of health care services and operations. United Health has gone on to claim that in addition to the paying the ransom demand, United Health suffered $872 Million in damages and recovery expenses.

Why This Matters for Cybersecurity Professionals

With nearly 192.7 million impacted individuals this breach stands out as the largest healthcare data compromise in U.S. history, underscoring the immense scale of its impact. Cybersecurity professionals must carefully study the attack vectors, negotiation dynamics, and the involvement of multiple groups in order to strengthen defenses and prepare for future threats. At the same time, the breach raises significant policy implications, particularly around the controversial issue of paying ransoms. While ransom payments can restore operations quickly and minimize disruption, they also risk incentivizing attackers coupled with lack of guarantee the stolen data would be delted. Professionals advising healthcare institutions must carefully balance incident response planning, resilience strategies, and regulatory compliance to ensure that organizations are both prepared for and protected against similar compromises in the future.

Lessons Learned and Next Steps

Organizations must prioritize implementing zero‑trust architectures, risk management, ramp up incident response planning, and robust data‑loss prevention. Regulators should tighten oversight of critical infrastructure and organizations. For individuals, monitoring financial and medical records and using identity‑protection services remain prudent steps after such breaches