Key assets at risk

The attack affected the road and highway operations significantly by impacting the following assets.

Threat event

A large botnet starts flooding the state’s highway traffic-management servers of Colorado DoT with millions of fake requests every second. Due to these messages, the servers become overloaded and stop responding. Due to this service disruption in the centralized traffic management system, the traffic cameras go dark, digital signs freeze, and toll gates malfunction. Furthermore, drivers no longer receive warnings about accidents, speed advisories, construction warnings, and weather hazards. Apart from this, the Emergency responders cannot access real-time road conditions too. Highways and roads become congested and unsafe because the digital systems that normally manage traffic went offline. As an outcome, the transportation agency had to shut down parts of its network and switch to manual operations while cybersecurity teams worked to resolve the attack impact.

Impact analysis

Best practices/mitigation

Diagrammatic representation of case study

This above Figure 1depicts the series of events in a DDoS attack targeting transportation infrastructure, illustrating the effect of network flooding to traffic management systems, roadside communications, and digital signage that lead to inefficiency and increase risk factors .

Key terms and definitions

The following terms available in Table 1 have been used throughout this case study. Each definition is written in plain language for easy understanding.

Key assets at risk

While GPS spoofing is primarily associated with navigation and positioning systems, its impact is also seen on time-dependent assets and on operational and economic assets. The following Table 2 reflects the list of assets and their corresponding mapping.

Threat event

The case studies explain how threat events occur step by step. The steps are as follows:

Impact analysis

Operational

Due to malfunction of FMS, IRS, and EGPWS the unintended route shift, loss of reliable backup navigation, and degraded terrain-avoidance capability are the significant operational overhead. Furthermore, the system instability could increase the manual workload when aircraft enter restricted or controlled zones.

Safety

A spoofed aircraft may unknowingly enter unsafe airspace, terrain, or traffic, creating severe accident potential. The safety issues increase due to occurrence of false alarm, missed real hazards, midair collisions, unsafe proximity to obstacles, and corrupted EGPWS geometric altitude information.

Financial

Flight diversions, delay or cancellations, aircraft damage, increase in insurance premium, cost of investigations, enablement of extended security controls for anti-spoofing defenses, and operational delays are a few of the primary outcomes related to direct financial impacts due to aircraft GPS Spoofing.

Reputational

The reputational impacts are not limited to aircraft companies; they also extend to navigation system providers. Passengers lose confidence in the aircraft service providers, and negative reviews begin to appear, which further generate negative media coverage. The airline’s brand becomes diminished, and trust in GPS-based navigation systems is reduced. Furthermore, regulatory investigations increase security concerns.

Cyber risk awareness/quantification

The following formula could be used to quantify cyber risk.

Cyber Risk = Chance of GPS Spoofing * Danger if Spoofed.

Chance of GPS spoofing

The chance of GPS Spoofing could be determined numerically as 1 (Very unlikely), 2 (Unlikely), 3 (Possible), 4 (Likely), 5 (Very likely) on various factors such as exposure, attractiveness to attackers, and control or protection level. The summary is as follows:

The following formula can be used to define Spoof scoring.

Diagrammatic representation of case study

The above Figure 2 depicts the propagation of spoofed GPS signals throughout aircraft systems including FMS, IRS, and EGPWS that would cause erroneous navigation data and consequently endanger the safety of the flights.

Key terms and definitions

The following terms available in Table 3 have been used throughout this case study. Each definition is written in plain language for easy understanding.

Key assets at risk

Threat event

The Pinellas County Sheriff’s Office states that the SCADA (Supervisory Control and Data Acquisition) system of the plant was accessed by an unauthorized individual remotely twice on February 5th, at about 8:00 AM and 1:30 PM ( Cervini et al., 2022).

During the second intrusion, the operator watched as the attacker opened software controls and switched the sodium hydroxide set point from 100 to 11,100 ppm and disconnected it before leaving. Within seconds, the operator reverted the change. The Secret Service, FBI, and local police started investigations. CISA used a public warning to state that the computers in the plant were operating Windows 7 - an operating system that Microsoft had officially stopped supporting in January 2020, which means it was no longer being patched or updated. The company was also experiencing poor passwording practices, where passwords could be shared among the workers ( CISA, 2021a).

Notably, a subsequent investigation raised questions on whether the event was indeed an external cyberattack or perhaps it was an accident on the part of a worker who altered a value and reported it as a breach. As of 2023, the FBI has not officially confirmed an external attack, and the former manager of the city confirmed privately that investigators had no evidence to suggest that there was external access ( Vasquez, 2023). This renders Oldsmar a useful case study in both senses: it demonstrates the actual cybersecurity vulnerabilities of the water systems, and it demonstrates that the reporting and investigation of the incident can be complicated ( Tuptuk et al., 2021).

Impact analysis

Operational

The water treatment activities were put on hold to investigate them. The authorities of the city made urgent decisions to disconnect remote access tools and check all system logs. The breach initiated cybersecurity assessments in Florida and other water utilities ( CISA, 2021a).

Financial

The Oldsmar plant itself did not suffer direct significant financial losses as the change was promptly noticed. Nevertheless, the move triggered the implementation of expensive national security infrastructure improvements in hundreds of water utilities in the U.S. CISA estimated that water delivered to more than 80 percent of Americans is provided by about 153,000 publicly-owned water systems, most of which were observed to have similar vulnerabilities (EPA, 2023).

Safety

Had the sodium hydroxide not been detected early, it would have resulted in serious chemical burns on the throats, skin, and digestive system of residents. The most vulnerable groups, like children, the aged, and those whose immunity is weakened, would have been exposed to the highest risk of the health problem. Even at lower concentrations, lye can cause severe damage ( Cervini et al., 2022).

Reputational

The incident resulted in national publicity and congressional interest. It served as a wake-up call that small-town water utilities, which are usually under-resourced and understaffed, could become targets of cyberattacks. Several states issued cybersecurity advisories for water suppliers after the incident ( You, 2022).

Cyber risk awareness/quantification:

The following Table 4 provide a brief description about evaluation overall risk.

Simple cost example

Imagine a confirmed water contamination event required emergency bottled water distribution to 15,000 residents for 3 days, plus medical response and cleanup. The estimated emergency response cost would be over the roof. This usually does not include long-term health costs, lawsuits, or federal fines for regulatory violations.

Best practices/mitigation

Diagrammatic representation of case study

The above Figure 3depicts the possibility of cyberattacks to affect public health and safety by accessing the SCADA system and manipulating its operations involving chemical dosing process.

Key terms and definitions

The following Table 5 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

Key assets at risk

Such assets are critical in the decision-making process using AI, and their security is a necessity.

Threat event

The attacker took advantage of the improper firewall configuration in the cloud infrastructure. Due to this, the attacker was able to carry out a Server-Side Request Forgery (SSRF) attack and obtain credentials. After obtaining the credentials, the attacker was able to access the storage containers and obtain the information stored in them. The breach led to the compromise of 100 million citizens in the United States and 6 million citizens in Canada. The attacker was also able to obtain the internal logs, hence allowing them to maintain unauthorized access ( FBI, 2019).

Impact analysis

Operational: The systems were to be restricted as a means to estimate the level of damage.

Financial: To resolve the problem, Capital One was forced to pay an 80 million dollar fine to regulators. Other expenses incurred by the company were associated with taking measures to deal with the problem ( Office of the Comptroller of the Currency, 2020).

Security: Customer data was compromised because the systems were infiltrated, which resulted in credit card application information disclosure.

Reputation: The hack was covered by the media, which affected the organization.

Legal impact: There were various lawsuits and compliance reviews carries out.

Cyber risk awareness/quantification

Plausibility: Medium.

Aftermath: High.

Cumulative-risk: High.

Simple quantification example:

Estimated business loss per hour: $150,000

Cost per hour: $100/hour

Duration: 120 hours (approx. 2 weeks work)

Monitoring tools

Cloud security improvements

Monthly cost per person: $8,000

Duration: 6 months

Regulatory fines and penalties

Incident response and forensic analysis

Employee overtime and business disruption

Loss of customer trust and brand damage ( IBM Security, 2023).

Key Assets at risk

Threat event

The attack began with one compromised password. The password was later discovered by security investigators in a store of stolen credentials sold on the dark web (the hidden part of the internet where stolen data is bought and sold). The password was for a VPN account that was not actively used but not deactivated ( Beerman et al., 2023).

Darkside attackers remotely accessed the network of Colonial Pipeline using the password. They had no further barrier since no multi-factor authentication was implemented on the account. While inside, they took their time to move through the network, designating systems and determining the most important files using a method referred to as lateral movement. They stole approximately 100 gigabytes of data within a span of two hours. Then they installed ransomware, encrypted billing systems, and demanded 75 bitcoin (which was at that time valued at about 4.4 million dollars) as a ransom ( CISA, 2021b).

The leadership of Colonial Pipeline was uncertain of the level of intrusion that had occurred and therefore decided to close down the entire pipeline as a precautionary measure. The ransom was paid on the same day by the company. The FBI provided a decryption tool, but it was too slow to be of any use, and the company was forced to restore its systems using backups. On May 12, 2021, a few days after the attack, the pipeline operations returned to normal ( DOE, 2021). The U.S. Department of Justice subsequently reclaimed some 63.7 Bitcoin (about $2.3 million) of the ransom.

Impact analysis

Operational

The six-day shutdown of the pipeline impacted gas supply in 17 states and Washington, D.C. Gas stations were forced to run out of fuel, airlines were concerned with the supply, and the Federal Motor Carrier Safety Administration declared emergency measures to compensate by allowing fuel trucks to work extra hours ( DOE, 2021).

Financial

Colonial Pipeline had to pay a ransom of $4.4 million. The company also received nearly 1 million proposed fines by the Department of Transportation due to safety breaches that are related to the incident. Millions were added with recovery expenses, legal fees, and cybersecurity upgrades. According to Mittal (2024), the breaches in the energy sector are the costliest, with the average price of a breach being more than 4.7 million.

Safety

There was a disruption of fuel supply in hospitals, emergency services, and airports on the East Coast. Panic buying also caused unsafe behaviors, including storing fuel in unsafe containers by the people. The incident showed that a cyberattack on the energy infrastructure can pose real physical risks to citizens ( CISA, 2021b).

Reputational

Colonial Pipeline experienced heavy scrutiny by the public and Congress. Senate hearings were carried out to analyze how one leaked password could shut down the biggest fuel pipeline in the country. The incident was one of the most cited cases of cybersecurity failure to protect critical infrastructure in the history of the US ( Tsvetanov & Slaria, 2021).

Cyber risk awareness/quantification

The following Table 7 provide a brief description about evaluation overall risk.

Simple cost example.

Colonial Pipeline had to pay a ransom of $4.4 million. The pipeline supply is more than 100 million gallons of fuel per day. A conservative estimate of the lost economic activity during the 6-day shutdown:

Diagrammatic representation of case study

The above Figure 5 depicts how compromised credentials would lead to access and lateral movements in a system and ransomware implementation that can cause disturbance in the functioning of critical energy infrastructures.

Key terms and definitions

The following Table 8 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

Key assets at risk

Threat event

The attack did not originate at Flagstar Bank itself, but at one of its technology vendors. The ransomware group Clop used a zero-day vulnerability in MOVEit Transfer software between May 27 and 31, 2023. A zero-day vulnerability is a security flaw that is unknown to the software developer and the community at large, meaning there is no patch or fix yet. This provides attackers with a significant advantage ( Ghanbari et al., 2024).

Clop exploited the weakness to silently gain access to the information being transferred using the Fiserv MOVEit systems, including files belonging to Flagstar Bank clients. Fiserv was unable to detect or prevent the attack in time because it occurred before the flaw was publicly known. On May 31, 2023, the vulnerability was publicly disclosed by Progress Software (the creator of MOVEit), more than two months after the breach itself happened, making Fiserv aware of it on the same day, at which point Flagstar Bank was notified about it (approximately August 8, 2023). On October 6, 2023, Flagstar Bank began notifying affected customers through notification letters ( Mascellino, 2023).

By October 2023, it had compromised more than 2,500 organizations worldwide, including banks, government bodies, universities, and corporations, exposing the personal data of more than 64 million people ( Mascellino, 2023). Clop took ownership of the attack and posted the names of victim organizations on its own site as a way of pressurizing them to pay the ransom to prevent further data exposure.

Impact analysis

Operational

Flagstar Bank had to investigate the breach, track down all affected customers, report to regulators, and implement identity monitoring for more than 837,000 customers. It was achieved over several months and required significant resources and staff beyond regular banking operations ( Mascellino, 2023).

Financial

All customers who were impacted by this began receiving free identity monitoring services from Kroll for 2 years, organized by Flagstar Bank. The direct expenses included legal charges, regulatory notification expenses, credit surveillance, and exposure to a class-action lawsuit. According to Lee et al. (2022), financial sector data breaches cost an average of $5.9 million per incident, one of the highest among industries. Research on U.S. commercial banks indicates that breached institutions record considerably lower returns on equity and assets in the quarters following an attack ( Erkan-Barlow et al., 2023).

Safety

If a Social Security number is stolen, the thief can commit identity theft by creating a counterfeit credit card, filing a false tax return, and taking out loans in the victim’s name. This may cost people years of money. Victims who do not monitor their credit carefully may not realize they are victims of identity theft until serious harm has already occurred ( Kamiya et al., 2021).

Reputational

It is the third large data breach at Flagstar Bank in three years (2021, 2022, and 2023), which has been devastating to customer trust ( Kamiya et al., 2021). The bank’s security experts and vendors publicly criticized the lack of proper supply chain risk management. The case illustrated how a bank may fall victim to a significant breach even when its own systems are not directly attacked through a trusted vendor’s vulnerability.

Cyber risk awareness/quantification

The following Table 9 provide a brief description about evaluation overall risk.

Simple cost example

837,390 customers each received 2 years of identity monitoring at approximately $20/month per person:

Diagrammatic representation of case study

The above Figure 6 shows the possible attack on financial information through vulnerability in third-party software applications used for other purposes.

Key terms and definitions

The following Table 10 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

Key assets at risk

Threat event

The attack began on August 31, 2025, when threat actors exploited a zero-day vulnerability in a third-party remote-access tool to gain an initial foothold in JLR’s critical systems. Once inside the network, the attackers moved laterally across the infrastructure before deploying ransomware on the company’s systems, including its SAP enterprise resource planning platform. JLR paused production on September 1, 2025, and by September 22, all production lines at the Solihull, Halewood, and Wolverhampton plants had ceased operations entirely, with staff instructed to stay at home ( Vallance & Leggett, 2025).

A group calling itself Scattered Lapsus$ Hunters claimed responsibility for the attack on Telegram, suggesting a collaboration between three English-speaking cybercrime groups: Scattered Spider, Lapsus$, and ShinyHunters. Members of the group shared screenshots reportedly taken from inside JLR’s IT networks, including images of internal SAP systems, and claimed to have deployed ransomware and exfiltrated sensitive data ( Gatlan, 2025). The same collective was linked to a wave of cyberattacks on major UK retailers, including Marks & Spencer, earlier in 2025 ( Milmo, 2025).

Initially, JLR planned to restart production on September 24, but announced on September 23 that the shutdown would continue until October 1. Production finally began restarting on October 8, 2025, following a gradual, controlled approach, but the company did not return to normal production levels until mid-November 2025. A forensic investigation was launched, and a criminal investigation was opened by law enforcement ( Young, 2025).

Impact analysis

Operational

The ransomware attack forced a complete production shutdown across all three of JLR’s major UK manufacturing plants for over five weeks. Assembly lines stood idle, employees were sent home, and workarounds were introduced to partially restore some functions, but significant disruption continued for months. Internal systems, including automated production lines, ordering platforms, and communication tools, were taken offline to contain the breach. September 2025 car production in the UK fell to its lowest level since 1952 as a direct result of the shutdown ( Burgess, 2025).

Financial

In its financial results published in November 2025, JLR revealed that the attack cost £196 million in direct costs during the second quarter of its fiscal year. The company posted a pre-tax loss of £485 million for the July–September 2025 quarter, compared with a profit of £398 million for the same period the previous year. The cyberattack was estimated to cost JLR over £50 million per week of downtime. The broader impact on the UK economy was estimated at £1.9 billion, accounting for supply chain disruptions, lost output, and reduced exports ( Pearson, 2025).

Supply chain

The shutdown devastated JLR’s supply chain. According to the Cyber Monitoring Centre, over 5,000 UK organizations were impacted, including first-, second-, and third-tier automotive parts suppliers, logistics companies, service providers, and dealerships. One smaller JLR supplier confirmed that it had laid off 40 people, nearly half of its workforce. The trade union Unite reported that supply chain staff were advised to apply for Universal Credit, the UK’s social welfare benefit. MP Liam Byrne described the situation as a “digital siege” and warned that thousands of jobs were at risk across the supply chain.

Reputational and national impact

The JLR cyberattack attracted national and international media coverage and became a matter of parliamentary debate. The Bank of England cited the attack as one of the key factors contributing to lower-than-expected UK GDP growth in the third quarter of 2025, noting that the production stoppage directly contributed to a 0.17 percentage point contraction in GDP in September ( Jones, 2025). The UK government intervened with a £1.5 billion loan guarantee to stabilize the automotive supply chain. The Department for Business and Trade and the Society of Motor Manufacturers and Traders issued a joint statement acknowledging the significant impact on JLR and the broader manufacturing sector ( UK Government, 2025). Jamie MacColl of the Royal United Services Institute described the incident as “unprecedented in the UK” in terms of the level of disruption caused by a cyberattack ( Burgess, 2025).

Cyber risk awareness/quantification

The following Table 11 provide a brief description about evaluation overall risk.

Simple cost example

JLR’s estimated weekly cost of the production shutdown was £50 million. With a shutdown lasting approximately 5 weeks: £50,000,000 × 5 weeks = £250 million in lost production revenue.

This figure accounts only for direct production losses. The total direct cost reported by JLR was £196 million for the quarter, while the broader economic impact, including supply chain losses, reduced exports, and government intervention costs, was estimated at £1.9 billion ($2.5 billion USD) ( Pearson, 2025).

Best practices/mitigation

Diagrammatic representation of case study

The above Figure 7 demonstrates the way ransomware propagates between the IT systems and OT systems, causing disruption of manufacturing operations through the supply chain.

Key terms and definitions

The following Table 12 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

Key assets at risk

Threat event

At approximately 1:30 AM on March 6, 2024, automated threat detection systems in Duvel Moortgat’s IT department flagged the presence of ransomware on the company’s network. Spokesperson Ellen Aerts confirmed that the IT team immediately initiated incident response procedures, shutting down servers across all sites to contain the spread of the malware. This decision brought production to a standstill at all four Belgian facilities and the Kansas City brewery in the United States ( Gatlan, 2024).

The Stormous ransomware group, a pro-Russian cybercriminal organization, claimed responsibility for the attack. Stormous added Duvel Moortgat to its leak site on March 7, 2024, claiming to have exfiltrated 88 gigabytes of data and setting a ransom deadline of March 25, 2024. According to Cisco Talos research, Stormous had been collaborating with another hacking group called GhostSec since July 2023, jointly conducting double extortion ransomware attacks using the GhostLocker and StormousX ransomware programs against victims across more than 15 countries ( Raghuprasad, 2024). The groups operated a ransomware-as-a-service (RaaS) platform called STMX_GhostLocker, which allowed affiliates to deploy ransomware or sell stolen data through their infrastructure ( Raghuprasad, 2024).

The situation was further complicated when, on March 13, 2024, a second ransomware group called Black Basta also claimed to have stolen more than one terabyte of data from Duvel Moortgat and its U.S. subsidiary Boulevard Brewing, including accounting and human resources information. Duvel Moortgat refused to pay the ransom, and the stolen data was subsequently published on the attackers’ leak sites ( Cyber-Plan, 2024). The Antwerp public prosecutor’s office opened an investigation into the cyberattack.

Impact analysis

Operational

The ransomware attack caused a complete production shutdown across all five of Duvel Moortgat’s brewing and bottling facilities in Belgium and the United States. Production at the main Puurs-Sint-Amands brewery was not restored until March 8, approximately three days after the attack was detected. During this period, no beer was brewed, bottled, or shipped from any facility. The company was forced to rely on existing inventory to fulfill orders. IT teams worked around the clock to restore systems, investigate the breach, and implement additional security measures before resuming operations ( Gatlan, 2024).

Financial

The financial impact included direct costs from lost production revenue during the multi-day shutdown, IT incident response and forensic investigation expenses, system restoration costs, and potential legal liabilities related to the exfiltration of employee data. According to Kulkarni et al. (2025), ransomware attacks on the food and agriculture sector have resulted in ransom demands ranging from tens of thousands to millions of dollars, with the JBS Foods attack in 2021 resulting in an $11 million ransom payment. While Duvel Moortgat refused to pay the ransom, the indirect costs of operational downtime, data breach remediation, and reputational damage are significant.

Safety/Food supply

Although the Duvel Moortgat attack did not directly compromise food safety, it demonstrated how cyberattacks on the food and agriculture sector can disrupt supply chains. The FBI has warned that ransomware attacks on this sector risk causing shortages in food availability, particularly when attacks coincide with critical production periods ( FBI, 2022). In a more extreme case in the same sector, a ransomware attack on a Swiss farm in November 2023 disabled livestock monitoring systems, leading to the death of a calf and the euthanasia of the mother cow, showing that cyberattacks on agriculture can directly endanger animal welfare and food production ( James, 2024).

Reputational

The public disclosure of the attack, combined with the publication of stolen data on dark web leak sites by both Stormous and Black Basta, caused reputational harm to Duvel Moortgat. Extensive media coverage of the attack drew global attention to the brewery’s cybersecurity vulnerabilities. The fact that two separate ransomware groups claimed to have breached the company’s systems raised questions about the adequacy of its cybersecurity posture. For a premium brand built on heritage and trust, such exposure can erode consumer and business partner confidence ( Kulkarni et al., 2025).

Cyber risk awareness/quantification

The following Table 13 provide a brief description about evaluation overall risk.

Simple Cost Example

Assuming Duvel Moortgat’s five facilities generate combined daily revenue of approximately $1.5 million and production was halted for 3 days:

Diagrammatic representation

The above Figure 8 represents the propagation of ransomware among the IT systems and OT systems of food production operations, which cause supply chain disruptions.

Key terms and definitions

The following Table 14 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

Key Assets at risk

Threat event

The attack began on February 12, 2024, when the ALPHV/BlackCat ransomware group gained initial access to Change Healthcare’s systems using stolen credentials. According to testimony by UnitedHealth Group CEO Andrew Witty before the U.S. Congress, the attackers used the compromised credentials to remotely access a Change Healthcare Citrix portal that enabled remote desktop access. Critically, this portal did not have multi-factor authentication (MFA) enabled, allowing the attackers to gain access with stolen credentials alone. As Senator Ron Wyden summarized, “This hack could have been stopped with cybersecurity 101” ( Hyperproof, 2026).

After gaining initial access, the attackers moved laterally within Change Healthcare’s network for nine days, exfiltrating approximately 6 terabytes of data before deploying ransomware on February 21, 2024, which encrypted the company’s systems. Change Healthcare detected the attack on February 21, disconnected its networks, and took all operations offline. The ALPHV/BlackCat group claimed responsibility for the attack on February 26 and stated it had stolen patient Social Security numbers, medical records, and information on active military personnel. UnitedHealth Group, through its subsidiary Optum, paid a $22 million ransom in Bitcoin on March 3 to secure the deletion of the stolen data. However, the ransomware group performed an exit scam, and the payment did not secure the data ( Alder, 2026).

The situation worsened in April 2024 when a second ransomware group, RansomHub, claimed to have obtained the stolen data from a former ALPHV affiliate and issued an additional extortion demand, threatening to sell the data to the highest bidder. RansomHub leaked screenshots that appeared to include Change Healthcare patient files. The demand was later removed from RansomHub’s website, though it remains unclear whether a second ransom was paid ( Hyperproof, 2026).

Impact analysis

Operational

The attack caused an immediate and nationwide disruption to the U.S. healthcare system. When Change Healthcare took its systems offline, hospitals could not verify patient insurance eligibility, pharmacies could not process prescriptions, and physicians could not submit claims or receive payments for services rendered. The AHA reported that nearly 94% of hospitals experienced financial repercussions from the attack ( AHA, 2024b). According to Kodiak Solutions, the value of claims submitted dropped by $6.3 billion across its 1,850 hospitals and 250,000 physician clients in just the first three weeks after the attack. UnitedHealth reported that it took months to restore full functionality, with 99% of pharmacy network services restored by March 18, 2024, while other systems took significantly longer ( Hyperproof, 2026).

Financial

The financial impact of the Change Healthcare attack has been staggering. UnitedHealth Group reported $872 million in losses in Q1 2024 alone. By the end of Q3 2024, the total cyberattack cost had risen to $2.457 billion, including $1.521 billion in direct response costs. The total anticipated cost for 2024 was revised to $2.87 billion. UnitedHealth Group advanced more than $9 billion to struggling healthcare providers to mitigate the cash flow crisis caused by the disruption. Large health systems reported losing more than $100 million per day during the outage. An American Medical Association survey revealed that 80% of physician practices lost revenue from unpaid claims (Healthcare IT, 2024).

Safety/patient care

The disruption to claims processing and eligibility verification directly endangered patient care. Patients experienced delays in receiving medications as pharmacies could not verify insurance coverage. Hospitals postponed elective procedures due to uncertainty about reimbursement. The financial strain was particularly severe for smaller practices and rural hospitals, with some facing the risk of closure due to prolonged inability to process claims and receive payments. The AHA warned that the attack endangered patients and threatened the solvency of U.S. healthcare providers across the country ( AHA, 2024a).

Reputational and legal

The breach triggered massive legal and regulatory consequences. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched an investigation into potential HIPAA violations. By June 2024, a judicial panel had consolidated over 50 federal lawsuits into a single multidistrict litigation case in Minnesota (MDL No. 3108). Multiple state attorneys general, beginning with Nebraska, filed lawsuits against Change Healthcare. U.S. Senators demanded answers from UnitedHealth Group CEO Andrew Witty, and Senator Mark Warner introduced legislation proposing cybersecurity conditions for Medicare payments during cyberattacks. The revelation that the breach was caused by the absence of basic multi-factor authentication on a critical access portal drew widespread criticism of UnitedHealth Group’s cybersecurity posture ( Hyperproof, 2026).

Cyber risk awareness/quantification

The following Table 15 provide a brief description about evaluation overall risk.

Simple cost example

UnitedHealth Group reported total cyberattack costs of $2.87 billion for 2024, broken down as follows:

Best practices/mitigation

Diagrammatic representation of case study

The above Figure 9 reflects the diagrammatic representation of how credential compromise leads to data breach and ransomware infection, causing disruptions in the national healthcare systems.

Key terms and definitions

The following Table 16 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.