Go Back

Change Healthcare Ransomware Attack: In-Depth Analysis


Brendon Rod

Chief Evangelist

Change Healthcare Cyberattack: BlackCat Ransomware Group’s Involvement


The sophisticated ransomware attack on Change Healthcare, a critical player in the U.S. healthcare system, orchestrated by the notorious BlackCat group, highlights the evolving landscape of cybersecurity threats.

This comprehensive analysis combines various insights to provide a detailed understanding of the incident, the group behind it, and the aftermath.

BlackCat Ransomware Group: Profile and Operations

  • Group Profile: Known as ALPHV in the cybercrime world, BlackCat has targeted a wide range of industries, including entertainment, hospitality, healthcare, and public services. Their ransomware-as-a-service (RaaS) model demonstrates a decentralized yet effective attack structure.
  • Modus Operandi: Employing double extortion tactics, BlackCat encrypts data and threatens to release it publicly unless a ransom is paid, putting immense pressure on victims.

BlackCat Ransomware Group: Profile and Previous Victims

  • Tactics: BlackCat typically utilizes methods like phishing, exploiting vulnerabilities, or using stolen credentials for initial access. They are known for their double extortion tactics.

Notable Previous Victims:

  • Industrial Companies: BlackCat has targeted various industries, significantly impacting operations and data security.
  • Public Services: Entities in public service sectors have also been victims, facing disruptions in public operations and data breaches.
  • Other Healthcare Organizations: Prior to Change Healthcare, BlackCat has attacked other healthcare entities, leading to significant data breaches and operational challenges.

Notable High-Profile Attacks

  • Corporate Breaches: BlackCat’s track record includes significant breaches of corporations like MGM Resorts and Caesars Entertainment, leading to major data breaches and disruptions.

The Change Healthcare Attack: A Modern Cyber Threat

  • Incident Overview: Initiated on February 21, the attack resulted in extensive disruptions within the U.S. healthcare system, severely affecting pharmacies and healthcare providers.
  • Impact on Services: The attack substantially hindered the ability of healthcare providers to process prescriptions and verify insurance, impacting patient care nationwide.

Impact on Healthcare Services:

  • Service Disruption: The attack caused widespread disruptions in processing prescriptions and other healthcare services across the United States. Pharmacies, hospitals, and healthcare providers reported significant challenges due to the systems being offline.

  • Military and Retail Pharmacy Effects: U.S. military health insurance provider Tricare reported global impacts, and retail pharmacies like CVS and Walgreens also experienced disruptions

Response and Recovery Efforts by UnitedHealth Group

In response to the attack, UnitedHealth Group, the parent company of Change Healthcare, implemented a series of measures to mitigate the damage and restore services.

UnitedHealth Group’s Initiatives

  • Alternative Claim Processing Systems: UnitedHealth Group introduced alternative systems for claims processing to counter the operational disruptions caused by the attack.
  • Financial Assistance Programs: Financial support was extended to providers affected by the attack, aiming to alleviate the immediate financial burden and facilitate the continuity of healthcare services.

Additional Insights from Krebs on Security

Krebs on Security provides further color to the narrative:

  • Extortion and Fallout: Reports suggest Change Healthcare may have paid a substantial ransom to BlackCat. However, internal conflicts within BlackCat, particularly regarding the distribution of the ransom, led to further complications.
  • Implications of Internal Conflict: An affiliate’s complaint about being shortchanged on the ransom sparked a series of events, contributing to the group’s apparent shutdown.
  • Law Enforcement Actions: The FBI and international law enforcement played a crucial role, leading to the seizure of BlackCat’s website and disruption of their operations.


The BlackCat ransomware attack on Change Healthcare underscores the sophisticated and continuously evolving nature of cyber threats. This incident highlights the necessity for robust cybersecurity resilience measures, rapid response strategies, and a deep understanding of the cyber threat landscape. As BlackCat’s activities have shown, organizations must remain vigilant and proactive in their cybersecurity efforts to counter such advanced threats.




Looking to stay in the loop on the latest IAM trends and updates?


Subscribe to the FiveNines IAM newsletter today and gain access to exclusive insights from industry leaders, groundbreaking companies, and global news outlets. Don’t miss out on the must-read monthly newsletter that delivers the juiciest edition yet of IAM resilience.


Subscribe on Linkedin now and stay ahead of the curve!

Scroll to Top
Skip to content