Skip to main content

Timeline of the Change Healthcare Attack

Analysis  |  By Marie DeFreitas  
   March 20, 2024

The Change Healthcare ransomware attack has affected health systems nation-wide for almost a month now.

The attack on Change Healthcare spread far and wide to hospitals, pharmacies, and health systems across the country. Here’s a timeline of what has happened so far that you should know: 


Here's a full breakdown:

Feb. 21: Optum reports “enterprise-wide connectivity” issues and later says Change Healthcare was experiencing a network disruption caused by a cybersecurity threat. Change’s system was disconnected. 

Feb. 22:  Health systems and pharmacies reported disruptions from the attack and the AHA urges facilities to disconnect from Optum’s network. 

Feb. 26: Ransomware group BlackCat claims responsibility for the attack, reported by The Register. HHS later warns hospitals to be wary of the cyber group as it specifically looks to target hospitals. 

UnitedHealth reports that 90% of the 70,000+ pharmacies in the U.S. that used Change’s network had to modify claims processing, the other 10% implemented offline workarounds. 

Feb. 29: Change Healthcare confirms Blackcat is behind the attack. Change works with cybersecurity firms and law enforcement to address the attack. 

March 1: Optum introduces a temporary funding assistance program for providers, and Change also implements a workaround system for pharamcies. 

March 3: Blackcat receives a Bitcoin payment of $20M, reported by Reuters.

March 4: AHA calls Change’s funding program inadequate. Some providers start losing more than $100M a day.

March 5: HHS accelerates payments to affected hospitals and CMS urges payers to relax or remove prior authorizations. 

March 6: UnitedHealth faces five federal lawsuits over the attack.

March 7: Change’s electronic prescription system is fully operable for claims and payments. 

UnitedHealth suspends MA and D-SNP prior authorizations for outpatient services until March 31.

March 9: CMS advances payments to physicians and other outpatient care providers experiencing claims disruptions.

March 11: AMA calls for and helps create a list of all payers that are offering advance provider payments.

March 12: Payers are reluctant to relax prior authorizations. AHIP President and CEO says removing prior authorizations could cause harm and fraud. 

March 13: An investigation is launched into UnitedHealth and Change by the federal government. 

March 14: AMA calls AHIP’S prior authorization response “dumbfounding” after weeks of silence from the organization. 

March 15: An AMA survey of almost 1,000 hospitals found that 94% of hospitals felt financial impact from the attack. 

March 18: Insurers meet with federal officials to discuss how to support providers still financially struggling after the cyberattack.

Marie DeFreitas is an associate content specialist at HealthLeaders.

Get the latest on healthcare leadership in your inbox.