In February 2024, Change Healthcare paid $22 million in ransom and exposed the data of 100 million+ patients — a third of all Americans. Pharmacies couldn’t verify prescriptions. Hospitals couldn’t process insurance claims. Patients left without medications.
That event set a new floor. Not a ceiling — a floor.
Why Healthcare is the #1 Ransomware Target
1. PHI is worth 10x credit card data. A stolen patient record sells for $50–250 on the dark web (vs $1–$5 for a credit card) because it contains everything needed for medical identity fraud.
2. Downtime = life safety = faster ransom. Hospitals face immediate patient harm when systems go dark. Average healthcare ransom payment: $4.4M (Coveware Q1 2024).
3. Fragmented vendor ecosystem. A single mid-sized hospital uses 50–300 third-party tools. One breach at a billing company can cascade into a national hospital network.
The 8 Cases
1. Change Healthcare / UnitedHealth Group (Feb 2024 — ALPHV/BlackCat)
- Attack vector: Stolen VPN credentials, no MFA on Citrix remote access portal
- Dwell time: ~9 days (SEC 8-K filing, April 2024)
- Ransom paid: $22M (WSJ, March 2024)
- Direct cost: $872M Q1 2024 losses (UnitedHealth SEC filing)
- Records: 100M+
- Patient impact: National pharmacy network offline 3 weeks; hospitals couldn’t verify insurance eligibility
- Root cause: No MFA on VPN; no network segmentation; delayed detection despite known ALPHV IOCs
2. Ascension Health (May 2024 — Black Basta)
- Attack vector: Phishing email with malicious attachment; LLM tools for lateral movement
- Dwell time: ~14–21 days (CISA/HC3 advisory, June 2024)
- Cost: Estimated $200M+; 5.6M individuals reported to HHS
- Records: 5.6M
- Patient impact: 140 hospitals, ambulance diversions, paper charts, delayed procedures
- Root cause: Phishing defense insufficient; no behavioral EDR; poor network isolation
3. Anthem (Feb 2015 — Chinese state-affiliated)
- Attack vector: Spear-phishing email; credentials entered on fake login page
- Dwell time: ~9 months
- Cost: $310M+ ($115M class action + $31M HIPAA settlement + state AG settlements)
- Records: 78.8M
- Patient impact: Largest healthcare breach at the time; years of litigation
- Root cause: No MFA on email; no phishing simulation; no database anomaly detection; unencrypted database
4. Universal Health Services (Sept 2020 — Ryuk)
- Attack vector: Phishing + malicious macro → Emotet → Ryuk 4-5 days later
- Dwell time: ~3 weeks
- Cost: $67M direct loss Q3 2020
- Records: Limited PHI (focus was encryption, not exfil)
- Patient impact: 400+ facilities offline, paper charts for weeks, diverted ambulances
- Root cause: No macro blocking; no EDR; unpatched Citrix CVE (known Q3 2020)
5. CommonSpirit Health (Oct 2022 — RansomHub)
- Attack vector: Third-party vendor with privileged access; EHR integration vulnerability
- Dwell time: ~21–28 days
- Cost: Estimated $50M+; class action litigation
- Records: 623K reported to HHS
- Patient impact: 6+ week EHR outage; cancer patients couldn’t access treatment scheduling
- Root cause: Vendor access not segmented; no third-party risk management program
6. Scripps Health (May 2021 — Ransomware)
- Attack vector: Phishing → credential reuse → lateral movement → ransomware
- Dwell time: ~3 weeks
- Cost: $112.7M total ($21.3M forensics, $28.4M legal, $13.1M notification, $41.2M lost revenue, $8.7M settlement — Scripps SEC filing 2022)
- Records: 147K
- Patient impact: 4-week outage, 5 hospitals, delayed appointments, month of paper charts
- Root cause: No MFA on EHR-facing systems; no anomaly detection on account usage
7. HCA Healthcare (July 2023 — Data exfiltration)
- Attack vector: Third-party contractor email service; unencrypted backups stored patient data
- Dwell time: ~6 weeks
- Cost: Litigation ongoing; regulatory scrutiny from multiple state AGs
- Records: 11M (names, DOBs, SSNs in subset, appointment data)
- Patient impact: Targeted phishing risk from personalized appointment data; SSN exposure
- Root cause: Contractor stored backups unencrypted; no data minimization; no contractor security requirements in contracts
8. Lurie Children’s Hospital Chicago (Feb 2024)
- Attack vector: Suspected phishing email; 2+ weeks inside network before encryption
- Dwell time: ~14–21 days (Lurie incident report, March 2024)
- Cost: Estimated $25–50M+; $1B+ organization with significant revenue loss from outage
- Records: Not yet fully disclosed
- Patient impact: 2-week complete outage; pediatric oncology disrupted; ambulances diverted; national TV coverage; surgical delays
- Root cause: Inadequate phishing defense; poor network segmentation; delayed IR allowed 2+ week dwell
Case Study Summary
| Case | Year | Group | Attack Vector | Dwell Time | Cost | Records |
|---|---|---|---|---|---|---|
| Change Healthcare | 2024 | ALPHV | Stolen VPN creds | ~9 days | $872M | 100M+ |
| Ascension Health | 2024 | Black Basta | Phishing + LLM | ~14–21 days | Est $200M+ | 5.6M |
| Anthem | 2015 | Chinese state | Spear phishing | ~9 months | $310M+ | 78.8M |
| UHS | 2020 | Ryuk | Phishing + Emotet | ~3 weeks | $67M | ~1K |
| CommonSpirit | 2022 | RansomHub | Third-party vendor | ~21–28 days | Est $50M+ | 623K |
| Scripps Health | 2021 | Unknown | Phishing | ~3 weeks | $112.7M | 147K |
| HCA Healthcare | 2023 | Unknown | Third-party contractor | ~6 weeks | Litigation | 11M |
| Lurie Children’s | 2024 | Unknown | Phishing | ~14–21 days | Est $25–50M+ | Unknown |
12 Controls That Stop These Attacks
All mapped to NIST CSF 2.0, HIPAA Security Rule, HHS 405(d) HICP.
| # | Control | NIST CSF 2.0 | HIPAA Security Rule | HHS 405(d) HICP | Prevents |
|---|---|---|---|---|---|
| 1 | MFA on all remote access (VPN, VDI, RDP, email SSO) | PR.AA-C06 | §164.312(d) + §164.312(a)(2)(i) | MFA for Remote Access | Change Healthcare, Anthem, Scripps |
| 2 | Email security: link sandboxing + anti-phishing | DE.CM-09 | §164.312(b) | Email Protection | Ascension, UHS, Lurie Children’s |
| 3 | EDR with behavioral analysis on all endpoints | DE.CM-03 | §164.312(b) | Endpoint Protection | UHS, Ascension, all cases |
| 4 | Network segmentation + least privilege | PR.PS-07 | §164.312(a)(1) | Network Segmentation | Change Healthcare, CommonSpirit |
| 5 | Vulnerability patching (critical within 24-48h) | PR.PS-02 | §164.312(a)(2)(ii) | Patch Management | UHS, CommonSpirit |
| 6 | Data-at-rest and in-transit encryption | PR.DS-01, PR.DS-02 | §164.312(a)(2)(iv) | Data Protection | Anthem, HCA |
| 7 | Third-party vendor risk management + least-privilege vendor access | PR.PS-09 | §164.308(a)(1)(ii)(B) | 3rd Party Risk | CommonSpirit, HCA |
| 8 | 24/7 security monitoring + incident response | DE.AE-02 | §164.312(b) | Security Operations | Anthem (9 months), Change Healthcare |
| 9 | Tested backups (air-gapped, immutable), tested quarterly | PR.IP-04 | §164.308(a)(7)(ii) | Backup & Recovery | All ransomware — reduces ransom leverage |
| 10 | Quarterly phishing simulations + security awareness training | PR.AT-01 | §164.308(a)(5) | Awareness Training | UHS, Ascension, Lurie Children’s, Anthem |
| 11 | Application whitelisting + macro blocking | PR.PM-03 | §164.312(a)(1) | Application Security | UHS, Anthem |
| 12 | Incident response plan with ransomware-specific playbooks | RS.MGT-01 | §164.308(a)(6) | Incident Response | All — faster response = faster recovery |
Action Items
7-Day
- Audit all remote access for MFA — enable immediately on any gap
- Run a phishing simulation (measure click rate, credential submission)
- Test backup recovery — restore a random 7-day backup now
- Disable macros via group policy
- Identify all third-party vendors with network or PHI access
30-Day
- Segment clinical from administrative systems
- Deploy/expand EDR behavioral coverage to all endpoints
- Send security questionnaire to top 20 vendors by data access
- Encrypt all PHI databases (EHR, billing, insurance)
- Update IR plan with ransomware-specific playbooks and pre-authorized decision authority
90-Day
- Establish 24/7 security monitoring (internal SOC or MDR)
- Run ransomware tabletop exercise with IT, C-suite, Legal, Communications
- Implement application whitelisting
- Proactive threat hunt for ALPHV/Black Basta/RansomHub IOCs
- Quarterly phishing simulation program with department accountability metrics
Get the help that fits your organization
| Tier | What’s Included | Best For |
|---|---|---|
| Starter | Security assessment, MFA rollout, phishing simulation, 90-day plan | Independent practices, 1-5 location clinics |
| Growth | Everything in Starter + EDR deployment, network segmentation review, vendor risk program | 5–20 location health systems, MSOs |
| Enterprise | Everything in Growth + 24/7 SOC, threat hunting, incident response retainer, ransomware simulation | 20+ location health systems, hospital networks |
Book a free 30-minute assessment →
Related Resources
- Healthcare Vertical Page →
- HIPAA Compliance →
- Vendor Risk Toolkit →
- Incident Response Plan →
- Phishing IQ Quiz →
Sources: HHS OCR breach portal, SEC filings, CISA/HC3 advisories, WSJ reporting, Anthem litigation records, Scripps Health SEC filing 2022, UnitedHealth SEC 8-K April 2024, Lurie Children’s incident report March 2024. All figures current as of publication.
Get your free pocket guide
Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.
Check your inbox!
Your pocket guide is on its way.
No spam. Unsubscribe anytime. Unsubscribe