Change Healthcare Breach: What Happened and Lessons Learned

When a cyberattack struck Change Healthcare in February 2024, it wasn’t just another data breach. It became what the American Hospital Association called ‘the most significant and consequential incident of its kind against the U.S. healthcare system in history.‘ 

The breach crippled a vital service that processed one-third of all U.S. healthcare claims, creating unprecedented disruption that reached into virtually every corner of American healthcare.

As we reflect on this watershed moment in healthcare cybersecurity, understanding what happened and the lessons learned is crucial for organizations seeking to avoid similar catastrophes.

Common Barriers to Healthcare Productivity in Hospitals. Read more here! 

The Attack: A Timeline of Disaster

The attack unfolded with alarming speed:

• February 12, 2024: Cybercriminals from the ALPHV/BlackCat ransomware group gained access to Change Healthcare’s systems through a Citrix remote access portal that lacked multi-factor authentication (MFA).
• February 12-20: Attackers moved laterally through the network, compromising systems and exfiltrating approximately 6 terabytes of sensitive data.
• February 21: The ransomware was deployed, and Change Healthcare detected the attack. The company made an announcement and immediately disconnected networks, taking operations offline.
• February 22: Hospitals, health systems, and pharmacies began reporting severe disruptions.
• February 26: The ALPHV/BlackCat ransomware group publicly claimed responsibility.
• March 3: UnitedHealth Group (UHG), Change Healthcare’s parent company, paid approximately $22 million in Bitcoin as ransom.

The attack was devastating because Change Healthcare processes 15 billion transactions annually, handling approximately one-third of all U.S. patient records and $1.5 trillion in healthcare claims.

As a clearinghouse, it is a critical intermediary verifying insurance coverage, standardizing claims information, and facilitating payments between providers and insurers.

Why Cutting-Edge Digital Health Still Faces Major Roadblocks. Read more here! 

The Catastrophic Impact

The consequences of the attack were immediate and severe:

• Financial strain: An American Medical Association (AMA) survey revealed that 77% of medical practices experienced service disruptions, with 80% losing revenue from unpaid claims.
• Cash flow crisis: 55% of physician respondents reported using personal funds to cover practice expenses, with some stating: “This cyberattack is leading me to bankruptcy,” and “I have not taken a salary for a month and am borrowing from personal funds to keep practice going.”
• Operational chaos: 36% of surveyed practices saw claims payments suspended, 32% were unable to submit claims, and 39% couldn’t obtain electronic remittance advice.
• Massive data exposure: Initially reported at 100 million people affected, by January 2025 the breach had exposed the sensitive personal and medical information of approximately 190 million Americans – more than half the U.S. population.
• Financial cost to UHG: The total response cost has exceeded $2.45 billion, including over $9 billion in advanced payments to providers.

Key Vulnerabilities Exposed

Congressional testimony and subsequent investigations revealed several shocking security failures:

1. Basic security controls were missing: The initial breach occurred through a legacy server lacking multi-factor authentication – one of the most fundamental security controls.
2. Poor network segmentation: Once inside, attackers were able to move laterally through systems with minimal resistance, suggesting inadequate network segmentation.
3. Merger-related security gaps: Following UHG’s acquisition of Change Healthcare in October 2022, security harmonization appears to have been incomplete, leaving vulnerabilities unaddressed.
4. Inadequate risk assessment: Despite self-insuring for cyber incidents, Change Healthcare failed to maintain adequate security controls to mitigate its significant risk exposure.

Seven Critical Lessons Learned

1. Never Neglect the Basics

The most glaring lesson from the breach is the importance of fundamental security controls. Something as simple as implementing multi-factor authentication could have prevented the initial compromise.

“The great news about all of this is that there really isn’t anything new that we have to tell them,” noted David Bailey, vice president of consulting services at Clearwater. “There are priorities and focus areas that we can have organizations really look at and help prioritize.”

2. Third-Party Risk Management Is Essential

The incident highlighted the dangers of supply chain vulnerabilities and the need for rigorous third-party risk management.

“The Change Healthcare fiasco vividly demonstrated the need to hold multibillion-dollar clearinghouses and health plans to a higher federal standard of cybersecurity,” stated Dr. Bruce A. Scott, AMA President.

Healthcare organizations must scrutinize vendors’ security practices and build redundancy to avoid single points of failure. This includes establishing connections with alternate vendors and having contingency plans ready.

3. M&A Activity Requires Security Due Diligence

The breach occurred following UHG’s acquisition of Change Healthcare, raising questions about security integration following mergers and acquisitions.

“During this transition, cybercriminals can exploit discrepancies in security measures, gaps in IT governance, and the increased complexity of managing merged IT environments,” explained Aron Brand, CTO of CTERA.

Organizations must conduct thorough security assessments during mergers and acquisitions to identify and address potential vulnerabilities.

4. Resilience Requires Redundancy

The attack demonstrated the dependence of the healthcare system on a single service provider, with no adequate alternatives available to many organizations.

“The result of UnitedHealth Group’s failure to properly safeguard against cyber threats and the subsequent, extended outage of its services has been dire,” noted Senators Josh Hawley and Richard Blumenthal in their letter to UHG.

Healthcare entities should identify critical external services and develop concrete action plans to maintain operations should those services fail.

5. Have a Robust Business Continuity Plan

Many organizations lacked adequate business continuity plans to address major service disruptions.

“[The plan] should address business continuity in case of crisis or disaster, including backups and the ability to restore them in a timely manner. It means implementing a technical backup and alternative payment and collection routes,” advised cybersecurity expert David Kellerman.

Financial preparation is especially crucial. Organizations should quantify how long they can sustain operations without normal revenue inflow and establish financial buffers like business interruption insurance, cash reserves, or lines of credit.

6. Improved Cross-Industry Collaboration Is Necessary

The breach highlighted the need for better information sharing and collaboration across the healthcare sector.

“I believe hospital CISOs should have a security clearance, be read and know exactly what’s happening,” said David Bailey. “There needs to be a mechanism, a true mechanism, for information sharing as part of critical infrastructure that doesn’t exist today.”

Healthcare organizations can collectively improve their defenses against sophisticated attacks by sharing threat intelligence and cybersecurity best practices.

7. Consolidation Creates Concentration of Risk

The attack also raised concerns about industry consolidation creating critical points of failure.

“The Change Healthcare experience clearly shows the danger posed by ever-increasing levels of concentration within health care, particularly among health plans,” warned Dr. Scott.

While Change Healthcare’s market share wasn’t dominant enough to trigger traditional antitrust concerns, its role in processing one-third of U.S. healthcare claims created a significant vulnerability in the national healthcare infrastructure.

Top Stressors Among Healthcare Workers. Read more here! 

Moving Forward: A More Secure Healthcare Ecosystem

The Change Healthcare breach has spurred several positive developments:

• Increased investment: The magnitude of the attack made it easier for technology executives to make the case for greater investment in cybersecurity and emergency preparedness.
• Legislative action: Senator Mark Warner introduced a bill proposing cybersecurity-related conditions for Medicare accelerated and advance payments during cyberattacks.
• Regulatory scrutiny: The Office for Civil Rights launched a HIPAA compliance investigation, and lawmakers are considering mandated baseline cybersecurity standards for the healthcare sector.
• Industry adoption of security frameworks: Organizations are increasingly adopting frameworks like HITRUST to improve their security posture.

Conclusion

The Change Healthcare breach serves as a sobering reminder of the vulnerabilities within our healthcare system. 

As Scott Mattila, CISO at Intraprise Health noted, “While the breach was a significant setback, it spotlighted systemic problems, spurring overdue legislative progress and driving innovation among healthcare cybersecurity leaders.”

By applying these hard-learned lessons – implementing basic security controls, addressing third-party risks, preparing for business disruptions, fostering cross-industry collaboration, and questioning dangerous consolidation – healthcare organizations can build a more resilient and secure ecosystem for the future.

The ultimate lesson may be simple: cybersecurity is no longer just an IT issue but a fundamental patient safety and business continuity imperative that requires attention at the highest levels of healthcare leadership.