When Change Healthcare, a back-end processor responsible for more than 15 billion healthcare transactions annually, went offline in February 2024, the disruption was immediate and widespread. Pharmacies couldn’t confirm eligibility. Claims stopped mid-stream. Payments were suspended indefinitely. But this wasn’t a technical glitch, or a system upgrade gone wrong. It was a deliberate ransomware attack.

The threat actors behind the attack, organized cybercriminal syndicate ALPHV/BlackCat, used stolen credentials to access a Citrix remote access portal that lacked even the most basic cybersecurity control: multifactor authentication (MFA). That single vulnerability was the digital equivalent of leaving a back door propped open with a brick. Once inside, the attackers quietly navigated Change Healthcare’s internal systems for nine full days, harvesting data and laying the groundwork to paralyze operations.

When the ransomware payload detonated on February 21, more than six terabytes of data — including protected health information (PHI) and personally identifiable information (PII) — had already been nabbed.

At the heart of the breach was a breakdown in change management. Change Healthcare was acquired by UnitedHealth Group (UHG) in 2022 and was still undergoing integration into UHG’s infrastructure at the time of the attack. According to sworn congressional testimony by UHG CEO Andrew Witty, the Citrix system exploited in the attack had not yet been updated to UHG’s security standards, including MFA requirements. That delay proved catastrophic.

In the days following the breach, it became clear the attack was a calculated act of cyber extortion. UHG reportedly paid a $22 million ransom in Bitcoin to the attackers in an attempt to restore operations and limit further exposure of stolen data. That wasn't the end of the story.

In April 2024, a second criminal group, possibly linked to ALPHV or one of its affiliates, claimed to have retained additional stolen data and issued a fresh extortion demand. While UnitedHealth has not confirmed a second payment, the mere existence of another threat underlines how difficult it is to regain control once a breach has occurred, and how easily threat actors can replicate, share, or resell compromised data.

The Fallout for Union Funds

Union offices that relied directly on Change Healthcare systems, or used third-party administrators and processors that did, found themselves in the dark. Claims submissions halted. Reimbursement checks didn’t go out. Pharmacy benefit systems froze. Fund liquidity was impacted as cash-flow planning collapsed.

Perhaps more troubling than the disruption itself was the communication vacuum that followed. Many fund administrators said they were never contacted by Change Healthcare or UnitedHealth directly. Instead, they discovered the outage the same way participants did, when systems failed. For some, the only “official” word came days later, filtered through downstream vendors.

The timing couldn’t have been worse. In recent years, fund administrators have faced increasing pressure to comply with Department of Labor (DOL) cybersecurity best practices, particularly around third-party risk management and data protection. This breach exposed not just a vendor’s failure, but a governance blind spot that now sits squarely in the crosshairs offiduciary responsibility.

UnitedHealth Was a Victim, Too

To be clear: UnitedHealth Group was a victim of a highly coordinated criminal attack. After discovering the intrusion, UHG immediately retained multiple industry-leading cybersecurity and incident response firms, initiated a full-scale system rebuild, and worked with regulators, law enforcement, and government agencies. MFA was promptly enforced across remaining unsecured systems, and containment efforts prevented the breach from spreading beyond Change Healthcare’s network segment.

But good intentions don’t erase consequences. The integration delay that left Citrix without MFA was known. The gap between acquisition and full security alignment proved longer and more dangerous than anticipated. And while UHG’s internal response was swift, external communication lagged, leaving thousands of affected organizations struggling to understand what had happened and how to respond.

In the end, UnitedHealth may have paid the ransom. But union funds paid the price — in time, in trust, and in exposure they never agreed to.

Takeaways for Fund Fiduciaries

This was a governance failure as much as a cybersecurity lapse. Citrix without MFA, lack of DLP, zero detection for data exfiltration — all rooted in change management failure during an acquisition. But the responsibility doesn’t stop at the vendor’s doorway; once a vendor is compromised, you answer the phones.

Union funds must transform from passive service consumers into empowered guardians: 

• Don’t just rely on vendor claims, ask for audits of their controls.
• Embed MFA, DLP, EDR requirements into every agreement.
• Run tabletop exercises that include vendor downtime scenarios.
• Don’t wait when disruption lands. Track your losses, document your exposure, and engage legal counsel promptly.

What    |    How    |    When

Entry Point: Citrix

Citrix is a remote access platform that allows offsite users to access internal systems like they’re onsite. It's widely used in healthcare and finance for system centralization. In this case, the Citrix portal didn’t require multifactor authentication (MFA). Once cybercriminals acquired valid credentials — likely through phishing or credential stuffing — they logged in undetected. Without MFA, there was nothing to stop them.

Multifactor Authentication (MFA) Explained

MFA adds a second verification step beyond a username and password, like a code sent to your phone or a biometric check. Even if credentials are stolen, MFA blocks unauthorized access. It’s an extremely simple and extremely effective cybersecurity control. In this case, Change Healthcare hadn’t yet enabled MFA on its Citrix systems. 

DLP: The Missing Layer That Let 6 TB of Data Walk Out the Door

Data Loss Prevention (DLP) tools monitor for suspicious data movements, like someone copying huge amounts of sensitive records to an external server. Had DLP been properly configured, the exfiltration of nearly six terabytes of PHI and PII over nine days could have triggered alerts, or the transfers could’ve been blocked entirely.

Timeline of the Attack

• February  12, 2024: Attackers access Change’s Citrix portal using stolen credentials (no MFA enabled on Citrix).

• February  12–20, 2024: Intruders download approximately six terabytes of sensitive health and identity data.
• February  21, 2024: Ransomware is deployed across Change systems, disrupting claims, pharmacy transactions, and payments nationwide.
• Late February – Early March 2024: Change Healthcare allegedly pays the cyberattackers a $22 million ransom in Bitcoin.
• April 2024: A second extortion attempt emerges from a group claiming to hold additional stolen data.
• July 2024 AND BEYOND: UnitedHealth Group begins breach notifications; class action lawsuits are consolidated; federal investigations continue.

Should your fund be going after money?

If your fund experienced tangible harm — delayed claims, financial strain, member service issues — you should considering joining the multi-district litigation (MDL) class action lawsuit against Change Healthcare. Document your fund’s losses and additional expenses, and talk with your legal counsel to join in the Provider Track.

Take Action Now! 3 Steps for Fund Offices

1. Join the MDL (class action lawsuit)

If your fund had delayed reimbursements or claims processing, consult legal counsel about provider class inclusion.

2. Track restitution

For your team: monitor settlement updates — especially class certification and notice dates, as they can affect eligibility.

3. Pressure for funds

Advocate for fund-specific compensation for administrative costs, participant complaints, and fiduciary risks, not just provider losses.

ALPHV/BlackCat The Ransomware Kingpin: Who they were, how they operated, and how the threat endures today.

Born from the ashes of infamous cybercrime syndicates
First observed in November 2021, ALPHV—also known as BlackCat or Noberus—emerged as a sophisticated Ransomware-as-a-Service (RaaS) platform written in Rust. Its operators allegedly include former members of DarkSide and REvil, and they offer affiliates up to 90% of the ransom payment, making it one of the most lucrative RaaS operations around.

A public extortion billboard
Where others hid in darknet forums, ALPHV went public. Affiliates would post victim data samples on an open web portal — or even mimic victim websites — to pressure targets into paying. This "double" or even "triple extortion" tactic (encrypt, expose data, threaten service disruption) typifies BlackCat’s aggression.

High-value targets
ALPHV has targeted hundreds of organizations globally, including MGM Resorts, Caesars, Reddit, and numerous healthcare institutions. In February 2024, it launched the devastating Change Healthcare attack, one of the largest U.S. healthcare breaches

What Is RaaS? And who exactly are these “affiliates?”

Ransomware-as-a-Service (RaaS) is the cybercrime version of Third Party Administration. Instead of a single hacker doing everything — from writing the malware to negotiating the ransom — RaaS splits the process between different players, each with a specialty. It’s a business model that has industrialized extortion on a global scale.

Here's how it works:

The RaaS Platform Operators
These are the core developers. They write the ransomware code, maintain the infrastructure, and manage the encryption/decryption keys. Groups like ALPHV/BlackCat run these platforms. They don’t always carry out attacks themselves — they license their software to others.

The Affiliates
Affiliates are the “boots on the ground.” They gain access to victims — often through phishing, stolen credentials, or exploiting vulnerabilities — and then deploy the ransomware payload. In return, they split the ransom with the platform operator, usually keeping 60% to 90% of the payment.

Affiliates come from all over the world. Many are part of independent hacking crews or are ex-members of defunct groups like REvil or Conti. They don’t have to write code, just know how to break in and upload the payload.

What the RaaS Platform Provides:

• The ransomware software
• A control panel to track infections
• Encryption/decryption key management
• Payment portals on the dark web
• Leak sites for public extortion pressure
• Customer support for ransom victims

ALPHV even developed a searchable public leak site indexed on Google and offered an API to let affiliates automate pressure tactics, such as timed data leaks
if payment deadlines weren’t met.