Fraud Management & Cybercrime
,
Healthcare
,
Incident & Breach Response
Cost of Attack Has Reached $3.1 Billion for Parent Company UnitedHealth Group

The tally of Change Healthcare breach victims has nearly doubled, significantly increasing the magnitude of what was already one of the largest data breaches of 2024.
See Also: OnDemand | Active Directory Under Attack: How to Build a Resilient Enterprise
Change Healthcare owner and health insurance giant UnitedHealth Group said that the February 2024 attack, perpetrated by a ransomware group, exposed protected health information pertaining to 190 million Americans.
The revised tally is an increase of 90 million individuals from the 100 million that Minnesota-based UHG reported last July to federal regulators.
Even before the revised breach count, the attack against Change Healthcare, which is one of the country’s biggest healthcare payment processing companies, already ranked as the worst healthcare data breach of 2024. The attack exposed patients’ protected health information and caused mass healthcare disruption, affecting scores of healthcare providers, health insurance plans and other organizations. “Providers could not verify patients’ insurance, could not get paid, and both patient care and the financial stability of hospitals and clinics were diminished,” Mike Hamilton, field CISO at security firm Lumifi, recently told Information Security Media Group (see: How Healthcare Cyberattacks Broke Records in 2024).
Last October, UnitedHealth Group told investors that the cost tied to the attack reached $2.5 billion and would likely hit $2.9 billion for the fiscal year.
In fact, 2024 cost tied to the breach reached $3.1 billion, the company announced Jan. 16 when it released full-year financial results.
The breach succeeded in part because the organization failed to use robust security controls, including multifactor authentication, to lock down remote access. Security experts said that had MFA been in place, it may well have blocked the attack outright. Numerous other breaches last year also traced to attackers stealing or reusing stolen credentials to gain remote access to systems unprotected by MFA (see: Don’t Get Schooled: Lessons From PowerSchool’s Big Breach).
The attack against Change Healthcare appeared to be perpetrated by a Western affiliate of Russian ransomware group called ALPHV, aka BlackCat, that appears to be part of a loosely knit cybercrime collective tracked as “Scattered Spider,” which grew out of an online cybercrime community known as The Com. Scattered Spider has a reputation for being comprised of native English speakers proficient at social engineering attacks, including tricking help desks (see: Will Arrests Squash Scattered Spider’s Cybercrime Assault?).
After UnitedHealth reportedly paid a cryptocurrency ransom worth $22 million to ALPHV in exchange for a promise to delete the stolen Change Healthcare data, ALPHV appears to have run an exit scam, faking its disruption by law enforcement, so the group’s leadership could keep the entirety of the ransom, rather than share it with the affiliate. Agreements vary by group and individual affiliate, but ransomware-as-a-service groups send 70% to 90% of every ransom paid back to the affiliate who perpetrated the attack.
In response, the affiliate said he was taking his copy of the stolen Change Healthcare patient data to another ransomware group – a newcomer called RansomHub – and once again began shaking down the company. The healthcare insurance giant has repeatedly declined to state whether or not it paid a second ransom.
UnitedHealth faces scores of proposed class action lawsuits filed over the attack and breach, plus at least one lawsuit – so far – filed by a state attorney general.