change healthcare data breach

Hackers Claim 6 TB of Personal Data Stolen in Change Healthcare Breach

Updated: March 7, 2024, 10:35am

Consumers and pharmacies nationwide have been impacted with substantial disruptions to their care and the services they provide following a February 2024 cyberattack and ransomware demand on Change Healthcare, a technology based subsidiary of United HealthCare.

Change serves as an intermediary between health insurance companies, providers and patients, and claims on its website to be “a trusted partner for organizations committed to improving the healthcare system through technology.”  However, this attack has resulted in a nationwide outage of a network designed to communicate data between healthcare providers, including pharmacies, and insurance companies.

According to social media posts, payments to providers made through Change have been delayed, and patients have reportedly not been able to fill prescriptions or obtain other benefits.  According to at least one report, “Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket.”

The BlackCat / ALPHV ransomware gang has claimed responsibility for the cyber-attack. The hackers allege to have stolen 6 TB of personal medical data from the company’s network, affecting affecting the personal identifiable information (PII) of millions of consumers and patients, including active U.S. military personnel  as well as thousands of healthcare providers, insurance providers, and pharmacies.

The stolen data reportedly includes:

  • medical records
  • insurance records
  • dental records
  • payment and patient billing
  • insurance claims information

One of the partners of the hackers behind the cyberattack has reported that on March 1, 2024 a group known as AlphV or BlackCat received a $22 million transaction that looks very much like a large ransom payment. However, in an ominous sign of what’s to come, one of the cyber criminals reported “after receiving the payment ALPHV team decide to suspend our account… Sadly for Change Healthcare, their data [is] still with us.” The data they obtained may soon end up on the dark web.

See below for details about a class action investigation on behalf of victims.

The Change Healthcare attack was first detected on February 21, 2024. United HealthCare has listed more than 100 Change Healthcare services that were impacted by the attack, including benefits verification, claims submission, and prior authorization.

According to a filing by UnitedHealth with the Securities and Exchange Commission and its website, United HealthCare claims it has taken “immediate action to disconnect Change Healthcare’s systems to prevent further impact in the interest of protecting our partners and patients.”

According to a report by cyber intelligence firm RedSense, the attackers exploited two vulnerabilities in ConnectWise ScreenConnect, a remote access software used by Change Healthcare. The vulnerabilities (CVE-2024-1708 and CVE-2024-1709) allow remote code execution and privilege escalation on the affected systems.

Change Healthcare Hack Impacts Pharmacies and Consumers

Change Healthcare recently disclosed that:

“Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need. We also continue to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on this attack…. As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds.”

The following is some of the impacts of the hack on different stakeholders:

  • Pharmacies: Many pharmacies have reported difficulties in processing claims, verifying insurance coverage, communicating prescriptions and receiving payments from Change Healthcare. Some pharmacies have resorted to workarounds such as writing down prescriptions or using offline systems, while others have suspended their services until the issue is resolved. According to UnitedHealth, more than 90% of the nation’s pharmacies have set up modified electronic claims processing workarounds, but this may still result in slower or inaccurate transactions.
  • Consumers: Many consumers have experienced delays or denials in getting their prescriptions filled due to the hack. Some consumers have had to pay out-of-pocket for their medications or switch to alternative drugs that may not be as effective or suitable for their conditions. Others have had to postpone or cancel their appointments or procedures that require prior authorization from Change Healthcare.
    • The hack may also pose a security risk for consumers’ personal and health information that may have been compromised by the attackers.
  • Healthcare providers: Many healthcare providers have also faced challenges in billing patients, filing claims, checking eligibility and receiving payments from Change Healthcare. The hack may affect their cash flow and operations, as well as their ability to provide quality care to their patients. The American Hospital Association said that some hospitals have had issues with discharging patients or making payroll due to the hack.

The cyberattack on Change Healthcare is the latest in a series of incidents that have targeted the healthcare sector in recent years. In 2023, more than 600 healthcare organizations reported data breaches involving more than 500 records each, affecting over 40 million individuals.

The most common causes of these breaches were ransomware attacks, phishing campaigns, and unauthorized access incidents.

Consumer Action in Light of Change Healthcare Data Breach

As a consumer, you may be wondering what you can do to protect yourself from the potential consequences of this breach. Here are some steps you can take:

  • Check your credit reports for any suspicious activity or fraudulent accounts. You can get a free copy of your credit report from each of the three major credit bureaus (Equifax, Experian, and TransUnion) once a year at
  • Monitor your bank statements and credit card bills for any unauthorized charges or transactions. If you notice any, report them to your financial institution immediately.
  • Be alert for any phishing emails or phone calls that claim to be from Change Healthcare or other entities related to the breach. Do not click on any links or attachments or provide any personal or financial information unless you are sure they are legitimate.
  • If you have received any medical services or prescriptions from Change Healthcare’s customers or partners in the past year, contact them to confirm if your information was affected by the breach. If so, ask them what steps they are taking to protect your data and what options they are offering you for identity theft protection or credit monitoring services.
  • Consider placing a fraud alert or a security freeze on your credit files. A fraud alert will notify potential creditors that you may be a victim of identity theft and require them to verify your identity before opening any new accounts in your name. A security freeze will prevent anyone from accessing your credit files without your permission. You can place a fraud alert or a security freeze by contacting each of the three major credit bureaus.

The cyberattack on Change Healthcare is a serious incident that may have long-term implications for the healthcare industry and consumers alike, particularly based on reports this data may soon end up on the dark web if conspirators in the attack aren’t paid. It is important to stay informed and vigilant about the situation and take appropriate measures to safeguard your personal and financial information.

Class Action Lawsuit Investigation

If you are concerned about this data breach and your legal options as part of a class action lawsuit investigation, please fill out the form below. There is no cost or obligation.

Did you receive a data breach notification letter?