Skip to content
All posts


A recent cyberattack against Change Healthcare, a subsidiary of UnitedHealth Group, underscores just how vital it is for organizations to be effective stewards of their clients’ sensitive data. While security experts must constantly keep ahead of cybercriminals’ evolving techniques, following some proven best practices can go a long way toward safeguarding critical systems. In the case of the UnitedHealth incident, the hackers used a stolen password to access a server that lacked multifactor authentication (MFA), a common second-step protection that requires users to enter a code sent to their phone or email when logging into systems containing sensitive data.

“This hack could have been stopped with cybersecurity 101,” Oregon Senator Ron Wyden stated during a congressional hearing investigating the incident. UnitedHealth CEO Andrew Witty told the investigators that the company was still trying to understand why MFA wasn’t enabled on the server in question.

Change Healthcare, the largest U.S. clearinghouse for medical payments, which processes billions of transactions each year and touches about one third of all U.S. patient records, was acquired by UnitedHealth in 2022. Witty stated that Change was “a relatively older company with older technologies, which we had been working to upgrade since the acquisition. But for some reason, which we continue to investigate, this particular server did not have MFA on it." He further stated that all Change logins have now been updated to require MFA.

The incident was perpetrated by the Russian-based ransomware gang ALPHV, also known as BlackCat. The hackers infiltrated the Change Healthcare network on February 12 and had been accessing the Change systems for more than a week when the ransomware was detonated on February 21.

The attack has cost UnitedHealth dearly. Not only have they paid tens of millions of dollars in ransom, but they’ve also spent hundreds of millions in system restoration and assistance to affected providers, who have had difficulty in filling prescriptions and getting paid by insurers. Patients have also experienced problems getting prescriptions filled or procedures approved, and there has been widespread financial disruption to hospitals. The American Hospital Association called the attack “the most serious incident of its kind leveled against a U.S. health care organization.”

The UnitedHealth incident is not unique, however. The healthcare industry is a common target for ransomware attacks; the data is extremely valuable on the dark web, and the services are critical, so healthcare organizations are likely to pay the ransoms demanded. Also, the hackers who go after these organizations are part of a network that operates on a business model similar to that of their victims. A core group of developers creates “ransomware as a service” (Raas), then supplies their tools to other groups of criminals in return for a percentage of the ransom received. This has led to increasingly sophisticated extortion methods—not only encrypting a victim’s sensitive data (essentially holding it hostage), but also stealing that data and threatening to publish it if the ransom is not paid. Therefore, it is incumbent on the healthcare industry—and any other industry that store sensitive information—to put every effort into security and protection.



ABC News

CBS News



UnitedHealth Group press release

Wall Street Journal

Washington Post