In February 2024, a ransomware group called ALPHV/BlackCat breached Change Healthcare, a subsidiary of UnitedHealth Group that processes roughly one in three US patient records. The attackers used stolen credentials — there was no multi-factor authentication on the targeted remote access portal — and deployed ransomware that took down Change Healthcare’s systems for weeks.

The downstream effects were unlike anything the US healthcare system had experienced. Hospitals could not verify insurance. Pharmacies could not fill prescriptions. Providers could not submit claims. Billions of dollars in medical reimbursements stopped flowing. Small practices, already operating on thin margins, faced existential cash flow crises. Some hospitals reportedly drew down emergency lines of credit just to make payroll.

UnitedHealth eventually paid a reported $22 million ransom to one ransomware group, and then — according to subsequent reporting — was extorted by a second group claiming to have the same data.

The final breach notification indicated that protected health information for approximately 100 million Americans was compromised, making it the largest healthcare data breach in US history by a substantial margin.

The Change Healthcare incident is not a story about a single company’s security failure. It is a story about what happens when critical healthcare infrastructure is concentrated in a single vendor without adequate resilience planning.