Lessons from the UHC Change Healthcare Breach


A padlock sits on top of a red computer board with the words "Security Breach" engraved on it.

Combating Ransomware in the Healthcare Industry

The healthcare sector is increasingly finding itself in the crosshairs of cybercriminals, with ransomware attacks having almost doubled in the last year. The latest to fall victim is UnitedHealthcare’s (UHC) Change Healthcare. As one of the largest healthcare “clearinghouses,” UHC handles almost 15 billion health-related transactions annually. This attack has disrupted billing, preventing doctors and hospitals from billing and blocking many patients from receiving necessary care. 

In this article, we explore the fallout from the UHC breach and look into how such attacks can be thwarted to prevent your organization from becoming a healthcare statistic. 

What is the UHC Change Healthcare Breach?

The UHC Change Healthcare breach is one of the most recent ransomware incidents that disrupted healthcare services across the United States and caused delays in critical medical processes by impeding operations. Like many ransomware attacks, the problem extends beyond attackers blocking file access. In this case, the criminals have admitted to having millions of records in their hands that were directly stolen as part of the encryption process. 

Of course, this is no surprise, as BlackCat/AlphV took responsibility through their Ransomware-as-a-service (RaaS) program. This group has been linked to numerous attacks like LoanDepot and Prudential. While this attack targeted UHC Change Healthcare, it is part of a more significant issue of ransomware targeting all businesses, large and small. 

Similar to other large attacks, the UHC Change Healthcare cyberattack was not wrapped up in a day but unfolded over several key dates and milestones:

  • February 21, 2024: The cyberattack on Change Healthcare is first detected, marking the beginning of a complex crisis.
  • February 27: UnitedHealth Group reports that 90% of Change Healthcare’s pharmacy clients have implemented workarounds for claims processing, a testament to disruption’s rapid response and adaptability.
  • March 1: UnitedHealth Group announces an updated timeline for restoring essential services, reflecting ongoing efforts to mitigate the breach’s impact.
  • March 5-6: Legal actions are initiated against UnitedHealth Group and Change Healthcare while valuable recommendations and resources for managing the attack’s impacts are disseminated.
  • March 8: The American Hospital Association reacts to UnitedHealth Group’s plans for recovery, a critical moment in the broader industry response.
  • March 9: CMS steps in with payment relief for Medicare providers, highlighting the government’s role in stabilizing the situation.
  • March 10: HHS and the Department of Labor issued a letter urging commercial payers to support financially strained providers, emphasizing the collective effort required to address the crisis.

A Ransom Paid – Kind Of

The UHC attack is a prime demonstration of why paying ransomware is inherently risky. In this case, the $22 million ransom payment did not guarantee recovery; the attackers, part of a Ransomware-as-a-Service operation, were double-crossed by the BlackCat group, which took the money and left both UHC without their data and the attackers without the paid ransom. The original attackers still have the data and want the money they demanded, leaving UHC in a financial pickle. 

No matter how this happens, it’s a no-win scenario for UHC. If they pay again, they will be out another $22 million with no guarantee of resolution, and the attackers may keep a copy of the data to come back weeks or years later to demand more money. This is why CISA strongly recommends that companies affected by ransomware deal with the fallout rather than paying the ransom. When companies stop paying the ransom, the attacks have less value, helping deter future attacks. 

The Long-term Problems of a Healthcare Cyberattack

Even after UHC gets its data back from attackers, it will still face long-term compliance issues. Based on initial estimates of patient data compromised, there will undoubtedly be substantial HIPAA fallout. The ramifications may include massive fines and a mandatory corrective action program designed to prevent such a catastrophe in the future. 

With the estimated millions of records affected, the data of EU and California citizens were probably included in the breach. At this point, UCH will also have to contend with GDPR and CCPA penalties associated with the breach, especially if the investigation uncovers the root cause of this was due to any negligence on UHC’s part. This will determine just how massive the financial penalties may be. 

How to Stop Ransomware In Its Tracks

Disasters like this do not have to be the norm in healthcare or any business vertical. Ransomware can be stopped with a combination of Antivirus (AV) and Content Disarm and Reconstruction (CDR) technologies. AV has a long track record of quickly and efficiently eliminating known malware threats, making it a solid first line of defense. 

Many advanced ransomware groups, such as BlackCat, use modified ransomware, so each attack appears different from known signatures, aka a zero-day, making AV insufficient protection. CDR overcomes this problem by taking a different approach than detecting hidden threats. As CDR ingests data, it breaks it apart and rebuilds it from only known-safe components, automatically eliminating threats in the process. So, even zero-day or unique threats get purged well before an AV can detect them. 

An additional layer is necessary in case malicious code makes it through AV and CDR to create a holistic defense against ransomware. As we saw in the case of UHC, ransomware goes beyond encryption to become a data theft scenario. Data Detection and Response (DDR) technologies combat this by continuously monitoring data patterns within the network and identifying unusual behavior that might indicate a breach or ransomware activity. Advanced DDR enables swift responses by promptly detecting these anomalies in motion, preventing the visibility and exfiltration of sensitive healthcare data, including PHI, PCI, and PII. 

Votiro Helps Healthcare Providers Avoid a Ransomware Disaster

Votiro’s platform merges Zero Trust Content Security with DDR, providing a holistic approach to digital threat protection. It proactively guards against file-based threats and ensures real-time compliance with privacy standards, offering critical insights from data analysis. This makes Votiro a trusted choice for global organizations seeking to safeguard their teams, customers, and reputation from various digital risks.

Votiro’s approach is an all-encompassing strategy that’s adept in neutralizing malware, monitoring sensitive data, and defending against real-time security and privacy risks. Votiro is designed to proactively identify and neutralize vulnerabilities, fortifying an organization’s security posture from potential exploits – like the all-too-common breaches discussed above.


To learn more about Votiro’s Data Detection and Response capabilities, sign up for a one-on-one demo of the platform or try it free for 30 days and see how Votiro can proactively defend your data’s security and privacy – and keep you safe from ransomware.

background image

News you can use

Stay up-to-date on the latest industry news and get all the insights you need to navigate the cybersecurity world like a pro. It's as easy as using that form to the right. No catch. Just click, fill, subscribe, and sit back as the information comes to you.

Subscribe to our newsletter for real-time insights about the cybersecurity industry.