Cyber Incident Victim: Change Healthcare
Date:
Feb 2024
Location:
United States of America
Summary
Change Healthcare experienced a cyberattack attributed to likely nation-state actors, prompting immediate system disconnection to contain the incident. This caused widespread disruptions across U.S. healthcare services, particularly affecting pharmacies' ability to process insurance claims and prescriptions. The attack impacted critical infrastructure including pharmacy networks, medical claims processing, dental services, and revenue cycle management systems. While the organization's systems remained offline for an extended period, parent company UnitedHealth Group confirmed its Optum and UnitedHealthcare divisions were unaffected. The incident significantly impaired healthcare transactions and patient billing operations nationwide.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyber incident impacting Change Healthcare began on February 21, 2024, with initial reports of enterprise-wide connectivity issues detected early in the morning on the U.S. East Coast. The company’s status page first acknowledged application unavailability at 2:15 AM EST, noting Optum was triaging the problem. By 6:10 AM EST, the issue escalated to a confirmed "network interruption related to a cyber security issue," prompting immediate containment actions. Change Healthcare disconnected its systems to prevent further spread of the threat, characterizing this as a protective measure for partners and patients. The disruption persisted throughout the day, with the company repeatedly extending its estimated duration in status updates published every few hours. By February 22, the incident was explicitly attributed to an "outside threat," though technical specifics about the attack vector, intrusion methods, or data compromise remained undisclosed. UnitedHealth Group, Change Healthcare’s parent company following a 2022 merger, later suggested the attack likely originated from nation-state actors but declined to identify specific groups or countries involved.
The cyberattack caused widespread operational disruptions across Change Healthcare’s critical healthcare infrastructure. Pharmacy systems were severely impacted, with Michigan-based Scheurer Health reporting an inability to process insurance-backed prescriptions due to the outage at what it described as "the largest prescription processor in North America." Multiple Change Healthcare services became inaccessible, including pharmacy claim processing (Rx Connect Solution, UPBS Claims Processing), medical claims automation tools, dental credentialing systems, patient billing platforms, and clinical document exchange networks. The company’s public login portals remained offline for an extended period. Over 30 distinct service categories were confirmed affected in status updates, spanning revenue cycle management, eligibility verification, and interoperability APIs. Despite the scale of the disruption, UnitedHealth Group maintained that Optum, UnitedHealthcare, and other subsidiary systems operated normally. Restoration efforts prioritized caution, with Change Healthcare emphasizing a multi-pronged recovery approach that avoided "shortcuts or additional risk." As of February 25, repeated status advisories indicated ongoing remediation work without confirming full service restoration. The incident highlighted Change Healthcare’s central role in U.S. healthcare transactions, given its annual processing of 15 billion healthcare transactions and involvement in one-third of U.S. patient records.