On February 21, 2024, a hacker affiliated with the ALPHV/BlackCat ransomware gang used stolen credentials to log into a Citrix remote access portal at Change Healthcare. The portal had no multi-factor login checks. For nine days, the attacker moved laterally through the network, exfiltrating data. On February 29, UnitedHealth Group disclosed the attack.
It was already the largest healthcare data breach in American history. It still is.
The final count, reported to OCR on July 31, 2025: 192.7 million people affected. That’s roughly 57% of the American population. UnitedHealth Group’s total costs exceeded $3.09 billion according to its January 2025 earnings report. Thousands of physician habits nearly went bankrupt during the weeks-long claims processing outage. And the question that matters most a year later – did anything actually change? – deserves an honest answer.
What Was Change Healthcare — And Why It Failed
Most patients had never heard of Change Healthcare before the breach. Most providers knew the name but didn’t fully appreciate what it meant that a single company processed roughly one-third of all healthcare claims in the United States.
Change Healthcare was the clearinghouse – the invisible plumbing connecting providers to payers, handling eligibility verification, claims submission, and payment processing. Fifteen billion transactions annually. $1.5 trillion in healthcare claims flowing through its systems. When it went down, the effects cascaded across 6,000 hospitals, more than a million physicians, 125,000 dentists, 39,000 pharmacies, and 700 laboratories.
Your practice probably routed claims through Change Healthcare without knowing it. Your EHR vendor might have. Your billing service almost certainly did. This is the exact vendor risk scenario that keeps rule-keeping officers up at night.
This wasn’t just a data theft. It was a shutdown of the payment systems that American healthcare depends on.
The Outage That Nearly Broke Small Practices
When Change Healthcare disconnected its systems, providers across the country couldn’t submit claims electronically. Payment processing stopped. Eligibility verification went dark. Revenue disappeared overnight.
The American Medical Association surveyed habits in late March and early April 2024. The numbers were brutal:
- 80% of respondents reported lost revenue from unpaid claims
- 55% had to use personal funds to cover practice expenses
- 44% couldn’t purchase medical supplies
- 31% couldn’t make payroll
- 36% had claim payments suspended entirely
One urgent care facility reported $650,000 in unpaid insurance reimbursements. The owners were using personal savings and lines of credit to pay employees and rent. They weren’t alone. Small habits with thin margins and no credit reserves faced existential pressure within the first two weeks.
UnitedHealth Group eventually made more than $2 billion in accelerated payments available to affected providers. But accessing that money required navigating a bureaucratic process while simultaneously trying to keep your doors open. Many providers described the experience as being asked to bail water while someone kept punching new holes in the boat.
The outage lasted weeks. Some habits didn’t fully recover for months.
The $22 Million Ransom and the Double Betrayal
UnitedHealth Group CEO Andrew Witty confirmed during Congressional testimony that the company paid a $22 million ransom to the ALPHV/BlackCat gang, sent via Bitcoin.
It didn’t help.
ALPHV pulled an exit scam. They took the $22 million, shut down their dark web systems, and stiffed their own affiliate – the actual attacker who had done the work. That affiliate, operating under the name “Notchy,” still had the stolen data. Furious at being cheated, Notchy reposted the data through a different ransomware group called RansomHub and attempted to extort UnitedHealth a second time.
So UnitedHealth paid once and still didn’t get the data back. The stolen information – health records, Social Security numbers, driver’s licenses, passport numbers, financial and payment card data – remained in criminal hands. This is exactly why having a ransomware response plan matters before an attack happens, not after.
This is not an unusual outcome. It’s one of the main reasons law enforcement and cybersecurity experts advise against paying ransoms. Payment doesn’t guarantee data deletion, and it funds future attacks.
Where the Lawsuits Stand in 2026
The litigation is massive and still unfolding.
As of mid-2025, 78 person and class action lawsuits had been filed over the breach. More than 70 were consolidated into a multidistrict litigation (MDL) in the District of Minnesota, assigned to U.S. District Court Judge Donovan Frank. At least 26 extra cases remained in state courts.
Plaintiffs include both people whose data was stolen and healthcare providers who suffered financial losses from the claims outage. Change Healthcare filed motions to dismiss several of the claims. Some survived.
The most notable state-level action came from Nebraska Attorney General Mike Hilgers, who filed suit against Change Healthcare, UnitedHealth Group, and Optum in December 2024. The lawsuit alleged breaches of Nebraska’s consumer protection and data privacy laws, citing the nine-day gap between intrusion and detection, and the five months it took to begin notifying affected people. In November 2025, a Lancaster County District Court denied Change Healthcare’s motion to dismiss, finding the state had well enough alleged its claims. The court noted the breach exposed sensitive data of nearly 900,000 Nebraskans.
Settlement discussions began in 2025. U.S. Magistrate Judge Dulce J. Foster ordered lawyers to attend in-person settlement talks in April 2025. If no settlement is reached, bellwether trials are likely.
As of early 2026, OCR had not announced an enforcement action against UnitedHealth. That’s not unusual for an review of this scale – OCR reviews at major covered groups have historically taken years. But given the severity, major HIPAA penalties remain likely.
What Congress Did (And Didn’t Do)
UnitedHealth CEO Andrew Witty testified before both the Senate Finance Committee and the House Energy and Commerce Committee in the spring of 2024. Under questioning, Witty acknowledged that Change Healthcare was “a relatively older company with older technologies” that UnitedHealth had been working to upgrade since acquiring it in 2022.
That admission landed hard. A company processing one-third of American healthcare transactions was running on systems its own CEO described as outdated. The Citrix portal that the attackers used as their entry point lacked multi-factor login checks – a basic security control that has been industry standard practice for years.
Congress responded with proposed legislation. The Health systems Security and clear ownership Act, introduced by Senators Ron Wyden and Mark Warner in September 2024, would impose minimum cybersecurity standards, require annual audits, and create penalties for executives who fail to meet rules. It included $800 million in funding for rural hospitals and $500 million for all hospitals to implement enhanced cybersecurity.
In 2025, a bipartisan group of senators reintroduced the Health Care Cybersecurity and Resiliency Act, requiring updates to the HIPAA Security Rule including mandatory MFA, data scrambling of health information, and regular penetration testing. These proposals align with the new HIPAA Security Rule changes already in the pipeline.
As of early 2026, neither bill had passed. The proposed HIPAA Security Rule overhaul published by HHS in December 2024 drew major industry pushback over setup costs. The gap between what happened and what’s been done about it remains wide.
What Actually Changed in the Healthcare Industry
Here’s the honest scorecard.
1. Vendor Risk Awareness Increased Dramatically
Before the breach, many habits treated their clearinghouse relationship as a commodity – something the billing department handled. After the breach, vendor risk management became a board-level conversation at health systems large and small. The statistic that 72% of healthcare data breaches now trace back to business associates and third-party vendors got a lot of attention. If your business associate agreements haven’t been reviewed since 2024, the Change Healthcare breach is the reason to do it now.
2. Backup Clearinghouse Plans Became a Real Discussion
The AMA pushed for a standardized clearinghouse enrollment process that would let habits switch vendors quickly during an outage. Before the breach, most habits had never considered what they’d do if their clearinghouse disappeared. Some tried to switch during the outage and discovered that incompatible EHR systems, contractual duties, and enrollment delays made a quick switch nearly impossible.
3. Consolidation Concerns Got Louder
The AMA and others pointed out that the breach was a direct consequence of vendor consolidation – one company handling one-third of all transactions meant one failure point could cripple the system. Industry groups called for reducing concentration and encouraging competition. Whether that translates into policy remains to be seen.
4. Cybersecurity Investment Increased
Health systems reported increased spending on cybersecurity tools, incident response planning, and vendor security reviews. The problem is that spending more doesn’t on its own mean spending wisely. Many groups still lack the foundational work – risk analysis, access controls, tracking – that would have made a difference.
5. rule-based Change Moved Slowly
Proposed rules and legislation are in the pipeline but nothing has been finalized. If you were waiting for the government to tell you what to do differently, you’re still waiting.
What Your Practice Should Have Done By Now
Regardless of what rules eventually pass, the Change Healthcare breach made certain lessons impossible to ignore.
Audit your vendor links. Do you know every vendor that handles ePHI on your behalf? Do you have signed Business Associate Agreements with each one? A BAA is not a magic shield – if your clearinghouse gets breached, your patients’ data is still exposed. But without a BAA, you don’t even have the legal framework for clear ownership.
Identify your single points of failure. If your clearinghouse went down tomorrow, could you submit claims another way? If your EHR vendor was compromised, do you have access to your own data? The habits that survived the Change Healthcare outage best were the ones that had already thought about this question.
Ask your vendors hard questions. Before you sign or renew with any vendor who touches ePHI: Do you have SOC 2 Type II certification? What’s your incident response plan? Have you had a breach in the last three years? Do you require MFA for all remote access? The Change Healthcare attack exploited a portal with no MFA. That was a basic control failure.
Get cyber insurance. Practices with cyber insurance had greatly better outcomes during the outage. The insurance covered business interruption losses, legal fees, and incident response costs. If you don’t have a policy, or haven’t reviewed yours in the last year, fix that now.
Build a business continuity plan that includes vendor failure. Not a theoretical record. A practical plan that your staff knows about, with specific steps for keeping operations if a key vendor goes offline. The next major healthcare IT outage isn’t a question of if.
The Number That Should Keep You Up at Night
192.7 million people. Nearly two-thirds of the US population had their health data stolen in a single attack on a single company.
Change Healthcare initially reported the breach to OCR with a placeholder figure of 500 people. Then 100 million. Then 190 million. The final figure, 192.7 million, was reported on July 31, 2025 – more than 17 months after the attack. For context, the previous record was the 2015 Anthem breach at 78.8 million – Change Healthcare more than doubled it.
Your patients’ data may be in there. They never consented to having their health information handled by a company they’d never heard of, operating on systems its own parent company acknowledged were outdated, secured by a remote access portal that didn’t require a second factor to log in.
That’s not a cybersecurity story. It’s a vendor management story. And it’s the story that should change how your practice thinks about every company you trust with patient data.
Related Reading
- Your Vendor Got Hacked – Now What?
- The Business Associate Agreement Mistakes That Will Cost You
- Ransomware Hit Your Practice – The First 72 Hours
- How to Run a Risk review That Won’t Get You Fined
- Healthcare Breaches Doubled in 2025
Need help assessing your vendor risk and building a rule-keeping program that accounts for what we learned from the Change Healthcare disaster? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable. Explore HIPAA rule-keeping services HIPAA compliance support