0.0
One morning, pharmacies across the United States simply
3.459
stopped working.
5.02
Not in one city.
6.36
Not one chain.
7.839
Everywhere once.
8.98
The prescription you needed could not be billed.
11.56
The system that had quietly approved your medication
14.039
your whole life returned in error and went
16.539
dark.
17.339
The cause was a single computer most Americans
20.739
had never heard of,
22.42
belonging to a company most Americans had never
25.48
heard of,
26.079
a company that sits underneath one out of
29.0
every three patient records in the country.
31.74
It had been broken into through one server
34.52
that was missing one security setting.
37.119
And before this story ends, the criminals who
39.74
did it will betray each other,
41.28
fake their own arrest, and walk away with
43.5
$22 million,
44.979
while the data they were paid to destroy
47.219
goes up for sale anyway.
49.119
This is Fragment Zero, Case File 48.
52.24
The Pharmacy Freeze
56.079
To understand how a whole country's pharmacies can
58.759
freeze in a single morning,
60.32
you have to understand a company called Change
63.259
Healthcare.
64.26
You have almost certainly never thought about it.
67.06
But if you are American, it has almost
69.519
certainly handled your medical data.
71.7
Change Healthcare, owned by the giant UnitedHealth Group,
75.42
is a clearinghouse,
76.54
the invisible switchboard that sits between your doctor,
79.76
your pharmacy, and your insurance company.
81.859
When a provider files a claim, when a
84.2
pharmacist checks your coverage,
86.079
and when a pharmacist moves through the system,
87.64
it very often passes through Change.
90.56
The scale is difficult to absorb.
92.879
Change Healthcare processes roughly 15 billion healthcare transactions
97.64
a year.
98.579
It touches an estimated one in three patient
101.2
records in the United States.
102.92
It is the backbone for more than 100
105.06
critical functions across American medicine,
107.599
used by over 67,000 pharmacies.
111.159
It is, in other words, exactly the kind
114.04
of single point of failure
115.439
that is not supposed to exist, and, in
118.14
February of 2024, it failed.
122.93
The break-in began on February 12th.
126.31
The intruders did not need a sophisticated exploit.
129.629
They used stolen credentials, a working username and
133.0
password,
133.699
to log into a Change Healthcare remote access
136.939
portal built on a system called Citrix.
140.269
The portal let employees reach their desktops from
143.139
outside the building.
144.419
It was pretty simple.
145.419
It was protected by exactly one thing, that
147.86
password.
148.939
There was no multi-factor authentication, no second
152.78
code, no phone prompt, no hardware key.
155.939
The single most basic defense in modern security,
159.3
the one your email provider nags you to
161.759
turn on,
162.419
was simply not enabled on a server that
164.68
opened into the company sitting under a third
166.919
of American healthcare.
169.2
Once inside, the attackers did what professionals do.
172.78
They did not smash anything.
174.039
For nine days, they moved quietly through the
177.34
network, mapping it,
178.74
escalating their access, and copying data out,
181.919
building their leverage before anyone knew they were
184.74
there.
185.879
Months later, the chief executive of UnitedHealth Group
189.039
would sit before the United States Senate
191.06
and admit, under oath, that he was, his
194.46
word.
195.379
Incredibly frustrated to learn the server had no
198.08
multi-factor authentication,
200.02
the chairman of the committee, Senator Ron Wyden,
203.039
called it a failure.
204.02
A failure of, quote,
205.099
cybersecurity 101, a third of a nation's medical
209.379
records, one missing checkbox.
213.68
On the morning of February 21st, the waiting
217.28
ended.
217.919
The group behind the intrusion, a ransomware operation
222.099
known as ALPHV or Black Cat,
225.86
triggered their payload.
227.639
Across change, healthcare systems files began encrypting.
232.12
The switchboard of American medicine,
235.6
UnitedHealth's response was immediate and drastic.
238.759
They severed the connections to Change's data centers
241.74
entirely,
242.56
cutting the infected network off from everything around
245.84
it.
246.36
By that afternoon, responders from Mandiant, Palo Alto
250.139
Networks, Google, Microsoft, Cisco, and Amazon
253.24
were converging on Change's command center in Nashville.
256.759
The company called the FBI within hours.
259.819
But the damage was already national.
262.48
With Change offline, the pipes of healthcare ran
266.12
dry.
267.24
In thousands of pharmacies, the screens that confirmed
270.879
your insurance returned nothing.
273.56
Pharmacists fell back to filling claims by hand,
276.36
calling insurers one by one,
278.399
or telling patients the price in cash.
281.06
Sometimes hundreds of dollars for a medication that
284.3
should have cost a copay.
285.74
Some people walked out without their prescription.
288.42
Behind the counter, the bleeding was just as
290.939
bad.
291.22
Doctors and hospitals could not submit claims,
294.42
which meant they could not get paid.
296.5
According to a survey of around 1,000
298.939
hospitals,
299.74
94% reported a financial hit.
302.339
A third saw more than half their revenue
304.8
disrupted.
305.759
Three-quarters reported a direct impact on patient
308.819
care.
309.66
One analysis estimated that, in the first three
312.42
weeks alone,
313.22
more than $6 billion in claims simply stopped
316.22
flowing.
317.3
To keep providers from going under,
319.5
UnitedHealth eventually pushed out more than $6.5
323.0
billion in advances and no-interest loans.
326.879
The clearinghouse nobody thought about had become the
330.06
thing the entire system was holding its breath
332.379
over.
334.7
So UnitedHealth made a decision that is now
337.519
one of the most scrutinized in the history
339.8
of corporate cybersecurity.
341.68
They paid.
343.259
On the first of March, a single transfer
345.519
of 350 bitcoin,
347.339
worth about $22 million,
350.099
moved to a wallet linked to BlackCat.
352.22
It was not hidden.
353.459
The payment was visible to anyone watching the
356.04
public blockchain.
357.06
Security journalists and analysts saw it land
359.66
and watched the gang begin splitting it into
362.019
smaller amounts.
363.399
The chief executive later testified that the decision
366.66
to pay was his.
368.04
Personally,
368.8
quote,
369.36
one of the hardest decisions I've ever had
371.98
to make.
372.54
The logic was simple and terrible.
374.879
Pay the ransom.
375.86
And maybe the criminals delete the stolen patient
378.6
data instead of leaking it.
380.639
That is what $22 million was supposed to
383.759
buy.
384.66
Deletion.
385.5
Silence.
386.639
It bought neither.
388.16
And the reason why is the strangest part
390.699
of this entire case.
393.72
Two days after the payment,
396.019
a message appeared on a Russian-language criminal
398.68
forum.
399.68
It came from a BlackCat affiliate using the
402.839
handle Nachi.
403.959
In the ransomware business,
405.86
the affiliates are the ones who actually break
408.18
in.
408.66
The core gang provides the tools,
410.879
and the two sides split the ransom.
413.6
Nachi had done the work on Change Healthcare.
416.24
And Nachi was furious.
418.439
Because BlackCat had taken the entire $22 million
422.1
and vanished,
423.519
cutting their own partner out completely.
425.959
Worse,
426.68
for everyone involved,
428.259
Nachi revealed that the affiliate still had the
431.199
stolen Change Healthcare data.
432.939
Around 4 terabytes of it.
434.86
The data the ransom was supposed to have
437.319
deleted had never left the affiliate's hands.
440.319
Within days,
441.759
BlackCat completed the betrayal.
443.86
The gang pulled what investigators call an exit
446.86
scam.
447.56
They disappeared with the money
449.3
and posted a fake law enforcement seizure notice
451.959
on their own leak site,
453.379
a counterfeit banner pretending the FBI had taken
456.3
them down.
457.12
They were not taken down.
459.139
They were running
460.22
and faking their own arrest to cover the
462.579
trail.
463.16
The disguise was darkened.
464.839
They were historically familiar.
465.72
Only months earlier,
467.3
in December,
468.24
the FBI had genuinely seized BlackCat's infrastructure,
471.879
and the gang had clawed it back.
474.16
Now they were wearing the takedown as a
476.399
costume.
477.62
So account for the money.
479.62
UnitedHealth paid $22 million to make the data
482.199
disappear.
483.36
BlackCat kept all of it,
484.899
betrayed the partner who held the data,
486.839
and faked its own death.
488.339
The partner kept the 4 terabytes.
492.459
And in April,
493.839
the inevitable.
495.139
A second extortion group calling itself RansomHub
498.68
listed Change Healthcare's data for sale.
501.959
The patient records were never destroyed.
504.86
The $22 million protected nothing.
508.199
It simply moved from a hospital company
510.839
to one set of criminals
512.419
who stole it from another set of criminals
514.659
while the actual victim's data went back on
517.419
the market.
518.32
The reckoning came slowly,
520.299
and it kept getting bigger.
521.58
When Change Healthcare first reported the breach,
525.12
the number of affected individuals was a placeholder,
528.759
500.
529.659
By October,
530.74
it was around 100 million.
532.659
By January of 2025,
534.98
about 190 million.
537.519
The final figure filed with federal regulators
540.299
reached roughly 192.7 million people,
544.74
close to two-thirds of the entire population
547.379
of the United States.
548.84
It is the largest healthcare data breach in
551.46
America.
551.58
The financial cost to UnitedHealth ran to roughly
555.799
$3 billion.
557.24
Its chief executive testified
559.1
that the company fends off an attempted intrusion
562.08
on average every 70 seconds,
564.46
and that one of them,
565.639
getting through one server without a second password,
568.519
had done all of this.
570.179
But the number that should haunt you
572.179
is not the dollars or the records.
574.36
It is the one.
576.36
One company, unknown to the public,
578.7
sitting beneath a third of American medicine.
581.259
One server, missing one setting.
583.879
That was the distance between normal life
586.299
and a nation's pharmacies going dark.
590.24
The pharmacies came back.
592.34
Within about two weeks,
593.82
99% were processing claims again.
596.72
The loans went out,
598.039
the systems were rebuilt,
599.46
the hearings were held,
600.759
and the news moved on.
602.72
But nothing about the underlying shape of it
605.24
changed.
606.019
American healthcare still runs
607.919
through a handful of choke points
609.44
most people will never hear about.
611.259
Until the morning one of them stops.
613.8
The attackers proved
615.22
that the system could be frozen by a
617.1
single password.
618.059
The criminals proved
619.399
they could not even trust each other.
621.259
And the $22 million ransom
623.419
proved the most uncomfortable thing of all.
625.96
That once your data is taken,
627.879
there may be no amount of money that
629.679
buys it back.
630.98
It was never on your desk to protect.
633.779
It was on a server you'll never see.
636.159
Behind a chat box, nobody ticked.
639.039
This has been Fragment Zero.
641.259
Case File 48.
642.879
The Pharmacy Freeze.
