Lessons a Year after the Change Healthcare Cyberattack

February 12, 2025

Next week marks one year since the Change Healthcare cyberattack caused sector-wide disruption affecting 190 million people and impacting access to care.

The incident generated international headlines, putting a spotlight on the need for stronger safeguards and system resiliency, while prompting instant reaction from the legislative and regulatory community. Nearly a year after the incident, here’s a look back at what happened and where things stand.

What Happened

On February 21, 2024, Change Healthcare, a health care claims clearinghouse, became aware of a ransomware attack that gave a cybercriminal unauthorized access to its computer system.

In response, the company shut down systems and server connectivity, temporarily blocking critical information and systems for hospitals and other providers to process claims. The incident is considered the largest-ever reported health care breach in the U.S.

During May, UnitedHealth Group CEO Andrew Witty testified that the bad actors had obtained “compromised credentials” to access a Change Healthcare application that enables remote access to desktops. The application did not have multi-factor authentication.

“As a result of this malicious cyberattack, patients and providers have experienced disruptions and people are worried about their private health data. To all those impacted, let me be very clear: I am deeply sorry,” he said in written remarks.

The Fallout

The affected information included billing and claims information, health information, and health insurance information, the company said in its HIPAA Website Substitute Notice.

Social security numbers were not affected for most potentially affected individuals, and “except in rare instances, financial and banking information, payment cards, driver’s licenses or state ID numbers, or other ID numbers were not involved in this incident,” the company said in its substitute notice. The company began notifying affected individuals during the summer.

The total cost of the response is estimated between $2.3 billion and $2.45 billion, per media reports.

Beyond the privacy breach, the outage caused immediate challenges for providers who could not process claims. HAP immediately engaged the Pennsylvania Insurance Department and the payor community to ensure payment workarounds and resources were available before systems came back online. Additionally, Change Healthcare, and its parent company established loan and advance payment systems, while the federal government also established programs to support affected providers.

Key Lessons

The incident highlighted the increasing need for cybersecurity in an increasingly digital world. It also put a spotlight on how third-party vendors are an important part of the cybersecurity ecosystem.

Among the key takeaways:

• Policy and procedures matter:  Organizations need proactive approaches to cybersecurity (regular risk assessments, vulnerability management, and incident response planning).
• Downtime plans:  All organizations need workarounds and downtime procedures when systems go offline.
• Third-party risk:  Third-party vendors can cause vulnerabilities across the health care supply chain.
• Key partners:  Organizations need partnerships and support to help mitigate the impact, including the FBI, CISA, and HHS. The American Hospital Association also has key resources for hospitals.
• Training is key:  Training staff with the latest best practices, phishing awareness, and data handling procedures is essential.
• Stay engaged:  Consistent updates from trusted sources is vital during periods of crisis.

Following this incident, hospitals continue to prioritize safeguards against cyberattacks and protections for patient information. For additional information about health care cybersecurity and your facility, contact HAP’s emergency preparedness team.