On February 21, 2024, the BlackCat/ALPHV ransomware group launched an attack against Change Healthcare, a subsidiary of UnitedHealth Group. The breach quickly became the largest healthcare data breach in history, affecting approximately 193 million people across North America.
Change Healthcare is not a household name, but its infrastructure connects over 1.6 million health professionals, 70,000 pharmacies, and 8,000 healthcare facilities. When it went down, the ripple effects were immediate and severe.
What Happened
Attackers exploited a Citrix remote access portal that lacked multi-factor authentication (MFA). Once inside, they moved laterally through Change Healthcare's network, exfiltrating sensitive data before deploying ransomware. UnitedHealth Group confirmed it paid a $22 million ransom to the attackers.
The stolen data included patient names, addresses, dates of birth, Social Security numbers, medical records, insurance information, and billing data. For a system that processes billions of healthcare transactions annually, the scope of exposure was staggering.
How Pharmacies Were Affected
Pharmacies across North America experienced disruptions for weeks. Claims processing ground to a halt. Many pharmacies could not verify insurance coverage, forcing patients to pay out of pocket or delay filling prescriptions. Independent pharmacies were hit especially hard, with some reporting cash flow problems that threatened their ability to stay open.
In Canada, pharmacies that relied on Change Healthcare's clearinghouse services for cross-border claims or U.S.-connected insurance plans also felt the impact. The incident highlighted how deeply interconnected the North American healthcare technology supply chain has become.
The MFA Failure
Perhaps the most alarming detail is that the initial breach vector, a remote access portal without multi-factor authentication, represents a basic security failure. MFA has been a standard recommendation for years. Its absence on a system handling data for nearly 200 million people raises serious questions about security governance at one of the largest healthcare technology companies in the world.
UnitedHealth Group CEO Andrew Witty testified before the U.S. Senate that the company had not implemented MFA across all its systems at the time of the attack.
Lessons for Canadian Pharmacies
Canadian pharmacies operate under the Personal Health Information Protection Act (PHIPA) in Ontario and equivalent provincial privacy legislation elsewhere. While this breach originated in the United States, it carries direct lessons for Canadian pharmacy operations.
Enable MFA everywhere. Every system that touches patient data, from pharmacy management software to email accounts, should require multi-factor authentication. This single measure could have prevented the Change Healthcare breach.
Audit your vendor relationships. Pharmacies rely on third-party software and clearinghouse services. Ask your vendors about their security practices, incident response plans, and whether they carry cyber insurance.
Have an offline contingency plan. When Change Healthcare went down, pharmacies that had manual backup processes fared better than those that were entirely dependent on digital claims processing. Paper-based fallback procedures should be documented and practiced.
Encrypt data at rest and in transit. Patient data stored on local systems should be encrypted. Data transmitted to insurers, wholesalers, or other partners should travel over encrypted channels.
Train your staff. Phishing remains the most common entry point for cyberattacks. Regular security awareness training helps staff recognize suspicious emails, links, and attachments before they become breach vectors.
The Bigger Picture
The Change Healthcare attack is a turning point for healthcare cybersecurity. Regulatory bodies in both the U.S. and Canada are expected to tighten requirements around MFA, encryption, and incident reporting. Pharmacies that get ahead of these changes now will be better positioned when new rules take effect.
Cybersecurity is no longer an IT department concern. It is a patient safety issue, a business continuity issue, and a regulatory compliance issue. Every pharmacy, regardless of size, needs to treat it as a priority.