On February 21, 2024, a hacker affiliated with the ALPHV/BlackCat ransomware gang used stolen credentials to log into a Citrix remote access portal at Change Healthcare. The portal had no multi-factor authentication. For nine days, the attacker moved laterally through the network, exfiltrating data. On February 29, UnitedHealth Group disclosed the attack.
It was already the largest healthcare data breach in American history. It still is.
The final count, reported to OCR on July 31, 2025: 192.7 million individuals affected. That's roughly 57% of the American population. UnitedHealth Group's total costs exceeded $3.09 billion according to its January 2025 earnings report. Thousands of physician practices nearly went bankrupt during the weeks-long claims processing outage. And the question that matters most a year later -- did anything actually change? -- deserves an honest answer.
Key Regulatory Context
The Change Healthcare breach exposed failures across multiple HIPAA requirements that covered entities and business associates are legally obligated to meet:
- Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A)): Covered entities must conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. UnitedHealth's own CEO acknowledged Change Healthcare was running "older technologies" -- a finding a proper SRA should have surfaced and remediated.
- Business Associate Agreements (45 CFR §164.308(b)(1)): Any vendor that creates, receives, maintains, or transmits ePHI on behalf of a covered entity must have a signed BAA. Change Healthcare processed claims for millions of providers, many of whom lacked proper BAAs or had never reviewed them.
- Authentication Controls (45 CFR §164.312(d)): The Security Rule requires covered entities to implement procedures to verify that a person seeking access to ePHI is who they claim to be. The Citrix portal attackers used had no multi-factor authentication -- a direct failure of this requirement.
- Breach Notification (45 CFR §§164.400–414): Affected individuals must be notified within 60 days of breach discovery. Change Healthcare took more than five months to begin notifying patients -- a timeline that drew significant scrutiny from OCR and state attorneys general.
These aren't aspirational standards. They are minimum legal requirements. The breach illustrates what happens when a company of this scale treats them as checkboxes rather than operational controls.
What Change Healthcare Was (And Why One Vendor Failure Broke Everything)
Most patients had never heard of Change Healthcare before the breach. Most providers knew the name but didn't fully appreciate what it meant that a single company processed roughly one-third of all healthcare claims in the United States.
Change Healthcare was the clearinghouse -- the invisible plumbing connecting providers to payers, handling eligibility verification, claims submission, and payment processing. Fifteen billion transactions annually. $1.5 trillion in healthcare claims flowing through its systems. When it went down, the effects cascaded across 6,000 hospitals, more than a million physicians, 125,000 dentists, 39,000 pharmacies, and 700 laboratories.
Your practice probably routed claims through Change Healthcare without knowing it. Your EHR vendor might have. Your billing service almost certainly did. This is the exact vendor risk scenario that keeps compliance officers up at night.
This wasn't just a data theft. It was a shutdown of the payment infrastructure that American healthcare depends on.
The Outage That Nearly Broke Small Practices
When Change Healthcare disconnected its systems, providers across the country couldn't submit claims electronically. Payment processing stopped. Eligibility verification went dark. Revenue disappeared overnight.
The American Medical Association surveyed practices in late March and early April 2024. The numbers were brutal:
- 80% of respondents reported lost revenue from unpaid claims
- 55% had to use personal funds to cover practice expenses
- 44% couldn't purchase medical supplies
- 31% couldn't make payroll
- 36% had claim payments suspended entirely
One urgent care facility reported $650,000 in unpaid insurance reimbursements. The owners were using personal savings and lines of credit to pay employees and rent. They weren't alone. Small practices with thin margins and no credit reserves faced existential pressure within the first two weeks.
UnitedHealth Group eventually made more than $2 billion in accelerated payments available to affected providers. But accessing that money required navigating a bureaucratic process while simultaneously trying to keep your doors open. Many providers described the experience as being asked to bail water while someone kept punching new holes in the boat.
The outage lasted weeks. Some practices didn't fully recover for months.
The $22 Million Ransom and the Double Betrayal
UnitedHealth Group CEO Andrew Witty confirmed during Congressional testimony that the company paid a $22 million ransom to the ALPHV/BlackCat gang, sent via Bitcoin.
It didn't help.
ALPHV pulled an exit scam. They took the $22 million, shut down their dark web infrastructure, and stiffed their own affiliate -- the actual attacker who had done the work. That affiliate, operating under the name "Notchy," still had the stolen data. Furious at being cheated, Notchy reposted the data through a different ransomware group called RansomHub and attempted to extort UnitedHealth a second time.
So UnitedHealth paid once and still didn't get the data back. The stolen information -- health records, Social Security numbers, driver's licenses, passport numbers, financial and payment card data -- remained in criminal hands. This is exactly why having a ransomware response plan matters before an attack happens, not after.
This is not an unusual outcome. It's one of the main reasons law enforcement and cybersecurity experts advise against paying ransoms. Payment doesn't guarantee data deletion, and it funds future attacks.
Where the Lawsuits Stand in 2026
The litigation is massive and still unfolding.
As of mid-2025, 78 individual and class action lawsuits had been filed over the breach. More than 70 were consolidated into a multidistrict litigation (MDL) in the District of Minnesota, assigned to U.S. District Court Judge Donovan Frank. At least 26 additional cases remained in state courts.
Plaintiffs include both individuals whose data was stolen and healthcare providers who suffered financial losses from the claims outage. Change Healthcare filed motions to dismiss several of the claims. Some survived.
The most notable state-level action came from Nebraska Attorney General Mike Hilgers, who filed suit against Change Healthcare, UnitedHealth Group, and Optum in December 2024. The lawsuit alleged violations of Nebraska's consumer protection and data privacy laws, citing the nine-day gap between intrusion and detection, and the five months it took to begin notifying affected individuals. In November 2025, a Lancaster County District Court denied Change Healthcare's motion to dismiss, finding the state had adequately alleged its claims. The court noted the breach exposed sensitive data of nearly 900,000 Nebraskans.
Settlement discussions began in 2025. U.S. Magistrate Judge Dulce J. Foster ordered lawyers to attend in-person settlement talks in April 2025. If no settlement is reached, bellwether trials are likely.
As of early 2026, OCR had not announced an enforcement action against UnitedHealth. That's not unusual for an investigation of this scale -- OCR investigations at major covered entities have historically taken years. But given the severity, significant HIPAA penalties remain likely.
What Congress Did (And Didn't Do)
UnitedHealth CEO Andrew Witty testified before both the Senate Finance Committee and the House Energy and Commerce Committee in the spring of 2024. Under questioning, Witty acknowledged that Change Healthcare was "a relatively older company with older technologies" that UnitedHealth had been working to upgrade since acquiring it in 2022.
That admission landed hard. A company processing one-third of American healthcare transactions was running on systems its own CEO described as outdated. The Citrix portal that the attackers used as their entry point lacked multi-factor authentication -- a basic security control that has been industry standard practice for years and is required under 45 CFR §164.312(d) for verifying the identity of anyone accessing ePHI remotely.
Congress responded with proposed legislation. The Health Infrastructure Security and Accountability Act, introduced by Senators Ron Wyden and Mark Warner in September 2024, would impose minimum cybersecurity standards, require annual audits, and create penalties for executives who fail to meet requirements. It included $800 million in funding for rural hospitals and $500 million for all hospitals to implement enhanced cybersecurity.
In 2025, a bipartisan group of senators reintroduced the Health Care Cybersecurity and Resiliency Act, requiring updates to the HIPAA Security Rule including mandatory MFA, encryption of health information, and regular penetration testing. These proposals align with the new HIPAA Security Rule changes already in the pipeline.
As of early 2026, neither bill had passed. The proposed HIPAA Security Rule overhaul published by HHS in December 2024 drew significant industry pushback over implementation costs. The gap between what happened and what's been done about it remains wide.
What Actually Changed in the Healthcare Industry
Here's the honest scorecard.
1. Vendor Risk Awareness Increased Dramatically
Before the breach, many practices treated their clearinghouse relationship as a commodity -- something the billing department handled. After the breach, vendor risk management became a board-level conversation at health systems large and small. The statistic that 72% of healthcare data breaches now trace back to business associates and third-party vendors got a lot of attention. If your business associate agreements haven't been reviewed since 2024, the Change Healthcare breach is the reason to do it now.
2. Backup Clearinghouse Plans Became a Real Discussion
The AMA pushed for a standardized clearinghouse enrollment process that would let practices switch vendors quickly during an outage. Before the breach, most practices had never considered what they'd do if their clearinghouse disappeared. Some tried to switch during the outage and discovered that incompatible EHR systems, contractual obligations, and enrollment delays made a quick switch nearly impossible.
3. Consolidation Concerns Got Louder
The AMA and others pointed out that the breach was a direct consequence of vendor consolidation -- one company handling one-third of all transactions meant one failure point could cripple the system. Industry groups called for reducing concentration and encouraging competition. Whether that translates into policy remains to be seen.
4. Cybersecurity Investment Increased
Health systems reported increased spending on cybersecurity tools, incident response planning, and vendor security assessments. The problem is that spending more doesn't automatically mean spending wisely. Many organizations still lack the foundational work -- risk analysis required under 45 CFR §164.308(a)(1)(ii)(A), access controls, monitoring -- that would have made a difference.
5. Regulatory Change Moved Slowly
Proposed rules and legislation are in the pipeline but nothing has been finalized. Meanwhile, OCR expanded its enforcement reach in February 2026 by taking over 42 CFR Part 2 enforcement for substance abuse treatment records — adding another layer of compliance obligations for behavioral health providers. If you were waiting for the government to tell you what to do differently, you're still waiting.
What Your Practice Should Have Done By Now
Regardless of what regulations eventually pass, the Change Healthcare breach made certain lessons impossible to ignore.
Audit your vendor dependencies. Do you know every vendor that handles ePHI on your behalf? Do you have signed Business Associate Agreements with each one? Under 45 CFR §164.308(b)(1), a BAA is legally required for every vendor that handles ePHI on your behalf. A BAA is not a magic shield -- if your clearinghouse gets breached, your patients' data is still exposed. But without a BAA, you don't even have the legal framework for accountability.
Identify your single points of failure. If your clearinghouse went down tomorrow, could you submit claims another way? If your EHR vendor was compromised, do you have access to your own data? The practices that survived the Change Healthcare outage best were the ones that had already thought about this question.
Ask your vendors hard questions. Before you sign or renew with any vendor who touches ePHI: Do you have SOC 2 Type II certification? What's your incident response plan? Have you had a breach in the last three years? Do you require MFA for all remote access? The Change Healthcare attack exploited a portal with no MFA. That was a basic control failure.
Get cyber insurance. Practices with cyber insurance had significantly better outcomes during the outage. The insurance covered business interruption losses, legal fees, and incident response costs. If you don't have a policy, or haven't reviewed yours in the last year, fix that now.
Build a business continuity plan that includes vendor failure. Not a theoretical document. A practical plan that your staff knows about, with specific steps for maintaining operations if a critical vendor goes offline. The next major healthcare IT outage isn't a question of if.
The Number That Should Keep You Up at Night
192.7 million people. Nearly two-thirds of the US population had their health data stolen in a single attack on a single company.
Change Healthcare initially reported the breach to OCR with a placeholder figure of 500 individuals. Then 100 million. Then 190 million. The final figure, 192.7 million, was reported on July 31, 2025 -- more than 17 months after the attack. For context, the previous record was the 2015 Anthem breach at 78.8 million -- Change Healthcare more than doubled it.
Your patients' data may be in there. They never consented to having their health information handled by a company they'd never heard of, operating on systems its own parent company acknowledged were outdated, secured by a remote access portal that didn't require a second factor to log in.
That's not a cybersecurity story. It's a vendor management story. And it's the story that should change how your practice thinks about every company you trust with patient data.
Frequently Asked Questions
What are the HIPAA breach notification requirements that Change Healthcare violated?
Under 45 CFR §§164.400–414, covered entities must notify affected individuals within 60 days of discovering a breach. When a breach affects more than 500 residents of a state or jurisdiction, the covered entity must also notify prominent media outlets in that state. Breaches affecting more than 500 individuals must be reported to OCR without unreasonable delay and no later than 60 days after discovery. Change Healthcare discovered the breach in late February 2024 but did not begin notifying patients until July 2024 -- more than five months later. The Nebraska AG lawsuit specifically cited this delay as a legal violation.
What does HIPAA require for vendor risk assessment, and how did Change Healthcare fall short?
45 CFR §164.308(a)(1)(ii)(A) requires covered entities to conduct a security risk analysis -- a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they hold. This analysis must be ongoing, not a one-time event. For business associates like Change Healthcare, the same requirement applies. A compliant SRA at Change Healthcare should have identified the unprotected Citrix remote access portal, the lack of MFA for privileged accounts, and the risks associated with being a single point of failure for one-third of US healthcare claims. It apparently didn't -- or the findings weren't acted on. Practices that outsource claims processing also have SRA obligations: if a business associate handles your ePHI, that vendor relationship is a risk that belongs in your own risk analysis.
Does HIPAA require multi-factor authentication?
The 2024 HIPAA Security Rule and current enforcement guidance stop short of mandating MFA by name, but 45 CFR §164.312(d) requires covered entities to implement procedures to verify the identity of anyone seeking access to ePHI. OCR's guidance has consistently cited MFA as a best practice to satisfy this requirement, and the proposed 2024 Security Rule overhaul would make MFA explicitly mandatory. In the Change Healthcare attack, the attacker used stolen credentials to log into a Citrix portal with no second factor -- exactly the scenario §164.312(d) is designed to prevent. Whether or not the final rule passes, MFA for any system with remote ePHI access is no longer optional from a practical security standpoint.
What is a business associate agreement and why does it matter for the Change Healthcare breach?
A Business Associate Agreement (BAA) is a legally required contract under 45 CFR §164.308(b)(1) between a covered entity and any vendor that creates, receives, maintains, or transmits ePHI on the covered entity's behalf. The BAA defines each party's responsibilities for protecting that data, what happens in the event of a breach, and what the business associate is permitted to do with the information. Change Healthcare was a business associate to thousands of providers. When it was breached, providers without current, compliant BAAs had limited legal recourse and potentially shared liability exposure. A BAA doesn't prevent a breach -- but without one, you have no contractual framework for holding your vendor accountable, and OCR can cite you for the missing agreement independently of whatever your vendor did.
Record settlement: The $126 million Change Healthcare settlement in 2025 is the largest HIPAA enforcement action in history, nearly doubling the previous record. The breach affected an estimated 190 million individuals and exposed fundamental gaps in vendor access controls.
Record settlement: The $126 million Change Healthcare settlement in 2025 is the largest HIPAA enforcement action in history, nearly doubling the previous record. The breach affected an estimated 190 million individuals and exposed fundamental gaps in vendor access controls.
Sources
- HHS OCR - Change Healthcare Resolution Agreement
- 45 CFR 164.308 - Administrative Safeguards
- 45 CFR 164.312 - Technical Safeguards
Key stat: The Change Healthcare breach affected approximately 100 million individuals, making it the largest healthcare data breach in U.S. history. UnitedHealth Group reported over $3.09 billion in total response costs. The breach demonstrated how a single point of failure in healthcare infrastructure can cascade across the entire industry.
Breach News and Analysis
- Acadia Healthcare Data Breach
- Healthcare Breaches Doubled in 2025
- Healthcare Data Breach Trends Analyzed
- Okanogan Breach Settlement
Key stat: The Change Healthcare breach affected approximately 100 million individuals, making it the largest healthcare data breach in U.S. history. UnitedHealth Group reported over $3.09 billion in total response costs. The breach demonstrated how a single point of failure in healthcare infrastructure can cascade across the entire industry.
Breach News and Analysis
- Acadia Healthcare Data Breach
- Healthcare Breaches Doubled in 2025
- Healthcare Data Breach Trends Analyzed
- Okanogan Breach Settlement
Record settlement: The $126 million Change Healthcare settlement in 2025 is the largest HIPAA enforcement action in history, nearly doubling the previous record. The breach affected an estimated 190 million individuals and exposed fundamental gaps in vendor access controls.
Sources
- HHS OCR - Change Healthcare Resolution Agreement
- 45 CFR 164.308 - Administrative Safeguards
- 45 CFR 164.312 - Technical Safeguards
Related Reading
- HIPAA Breach Notification Rule Compliance Guide
- How to Respond to a HIPAA Data Breach
- Healthcare Data Breach Prevention Strategy
- HIPAA Breach Notification Rule Compliance Guide
- How to Respond to a HIPAA Data Breach
- Healthcare Data Breach Prevention Strategy
- Your Vendor Got Hacked -- Now What?
- The Business Associate Agreement Mistakes That Will Cost You
- Ransomware Hit Your Practice -- The First 72 Hours
- How to Run a Risk Assessment That Won't Get You Fined
- Healthcare Breaches Doubled in 2025
Need help assessing your vendor risk and building a compliance program that accounts for what we learned from the Change Healthcare disaster? One Guy Consulting offers affordable HIPAA compliance packages starting at $249. Explore One Guy Consulting's HIPAA compliance packages