Hack at UnitedHealth leaves 193 million people's data exposed

Change Healthcare, which provides tools for simplified transactions between health care providers and most major insurance companies, was attacked on February 21, 2024. The hack was carried out by the BlackCat group (also known as ALPHV) using ransomware. UnitedHealth immediately isolated Change Healthcare’s system after discovering the breach, but this caused widespread disruption, with providers losing access to policy verification, e-prescribing, and reimbursement systems.

According to CNBC, the attacks hit small and medium-sized clinics, whose income largely depends on insurance payments, hardest. Some of them, according to Health First Advisory, were losing more than $100 million a day. Experts warned of the risk of bankruptcies and mass closures if the recovery of systems took a long time.

The hackers gained access to sensitive data, including policyholder identification numbers, diagnoses, prescription and treatment information, social security numbers, and medical service codes. In addition to the risk of information theft, experts noted the danger of its substitution, which could have catastrophic consequences for patient care.

UnitedHealth spent months after the attack negotiating with BlackCat and working to restore services. The company reportedly paid the hackers to speed up the restoration of its systems, but this has not been officially confirmed.

Experts emphasize that the incident became a “wake-up call” for the entire American healthcare system, demonstrating the vulnerability of its digital infrastructure.

In July 2025, there were reports in the information field of at least three major cases of cyberattacks on Russian healthcare industry operators and industry IT systems. The pharmacy chain Neo-Pharm (brands Neo-Pharm and Stolichki) and the private clinic Family Doctor (Alfa-Center Health chain) reported third-party interference. Then, the Silent Crow telegram channel, presumably belonging to the hacker group of the same name, reported receiving “full access” to the EMIAS network, which serves patients of state medical institutions in Moscow and the region.

How industry experts see the current level of cybersecurity in industry companies and what they propose to strengthen protection from external influences – in the Vademecum material .