What the Change Healthcare Attack Should Have Taught Every Covered Entity
Introduction
On February 21, 2024, Change Healthcare went offline. The ransomware attack that took it down was not subtle. Within hours, claims processing across thousands of practices, hospitals, and pharmacies ground to a halt. Prescriptions couldn’t be filled. Claims couldn’t be submitted. Prior authorizations went into a black hole. The disruption lasted weeks. The financial damage to the healthcare sector ran into the billions.
You probably felt it. If you didn’t feel it directly, you heard about it. And then, over the following months, the news cycle moved on, and most covered entities returned to operating exactly as before.
And that is the real story here. Not the attack itself. The attack was, by the standards of modern healthcare cybercrime, a straightforward ransomware intrusion against a high-value target. The story is what most covered entities failed to do with the information it provided: a detailed, real-world illustration of every vendor risk-management failure that HIPAA’s administrative safeguards are meant to prevent.
If your practice didn’t change anything after Change Healthcare, it’s worth understanding exactly what you didn’t learn.
What Happened and Why It Spread So Fast
Change Healthcare, a subsidiary of UnitedHealth Group, processed roughly 15 billion healthcare transactions annually at the time of the attack. By some estimates, it touched one in every three patient records in the United States. It was the connective tissue between providers and payers for a substantial portion of the country’s healthcare claims infrastructure.
The attackers gained access through a remote access portal that lacked multifactor authentication. That is not a sophisticated vulnerability. It is one of the most basic access control failures an organization can have, and it was present on a system that held and processed the protected health information of an estimated 190 million individuals.
The breach affected covered entities that had never heard of Change Healthcare and had no idea they were exposed through it. Vendor chain risk is inherent. You don’t need to be the direct target or have caused the security breach; merely being connected, even indirectly, to the organization involved is enough.
Your Business Associate Agreement Did Not Protect You
When Change Healthcare went down, covered entities discovered something uncomfortable about the vendor relationships they had assumed were managed. Many could not immediately identify whether Change Healthcare was their business associate or a subcontractor of one of their business associates. Many had BAAs that predated the HITECH Act’s expanded requirements and had never been updated. Some had no documentation of the relationship at all because the connection ran through a billing company or clearinghouse that had added Change Healthcare to its processing chain without notifying the covered entities it served.
This is the subcontractor problem from 45 CFR § 164.504(e) made concrete. The regulation requires your business associates to flow HIPAA obligations down to their subcontractors, and it requires those subcontractors to protect your patients’ PHI under the same standards that bind your direct vendors. But the regulation does not automatically make that chain visible to you. Building visibility into it is your responsibility, and Change Healthcare demonstrated what the absence of that visibility costs.
The breach notification obligations that followed were, for many covered entities, the first indication of the scope of their exposure. That is the wrong time to be learning the shape of your vendor chain.
What the Security Rule Required Before Any of This Happened
The HIPAA Security Rule’s administrative safeguard requirements at 45 CFR § 164.308 are not reactive standards. They are prospective ones. The Security Risk Analysis requirement at 45 CFR § 164.308(a)(1)(ii)(A) requires covered entities to identify the risks to their ePHI environment before a breach occurs. A risk analysis scoped to your direct systems but blind to your vendor chain is not a compliant risk analysis. It is an incomplete one.
The vendor oversight obligations embedded in the administrative safeguards exist precisely because the Security Rule’s drafters understood that covered entities do not operate in isolation. Your ePHI does not stay within your walls. It flows to billing companies, clearinghouses, EHR vendors, scheduling platforms, and down through their subcontractor relationships. The risk to your patients’ data spans that entire network, and your risk management program is supposed to account for it all.
Change Healthcare was not an unforeseeable edge case. Vendor chain attacks on healthcare organizations have been a documented threat category for years. An honest risk analysis conducted by any covered entity using a clearinghouse should have identified third-party processing infrastructure as a threat vector and evaluated the organization’s exposure and response capacity accordingly. Most did not.
What a Prepared Practice Looked Like
The practices that weathered the Change Healthcare disruption best were not the ones with the most sophisticated IT infrastructure. They were the ones with the most thorough preparation. Specifically, they had two things most practices lacked: a documented business associate inventory with clear mapping of which vendors touched which workflows, and a tested contingency plan that addressed what would happen when a key vendor went offline.
The contingency planning requirement is set out in 45 CFR § 164.308(a)(7). It requires covered entities to establish policies and procedures for responding to emergencies or other events that damage systems containing ePHI. Most practices implement this narrowly, treating it as a data backup and disaster recovery exercise focused on their own systems. Change Healthcare demonstrated that the relevant emergency is often not damage to your systems. It’s the sudden unavailability of a vendor whose services your operations depend on.
A contingency plan that covers your server room but doesn’t address what you do when your clearinghouse disappears for six weeks is an incomplete contingency plan. The practices that had answers to that question in February 2024 were the ones that had done the exercise before they needed it.
The Multifactor Authentication Lesson
The initial access vector in the Change Healthcare attack was a remote access portal without multifactor authentication. This detail received significant coverage at the time, and it deserves continued emphasis because MFA gaps remain widespread across healthcare organizations of every size.
Multifactor authentication is not optional under the current regulatory framework for systems that access ePHI, and the proposed updates to the HIPAA Security Rule would make it explicitly required. More to the point, MFA is among the most cost-effective security controls available. The deployment cost is low. The barrier to implementation is low. The gap it closes is significant.
If your practice has any remote access pathway to systems containing ePHI, and that pathway is protected only by a password, you have reproduced one of the specific conditions that made the largest healthcare data breach in U.S. history possible. That is a risk finding that belongs at the top of your risk management plan’s corrective action list.
What Covered Entities Should Have Done Then, and Should Do Now
The Change Healthcare attack was, among other things, a comprehensive audit of the healthcare sector’s vendor risk management posture. Most covered entities did not pass it.
The corrective actions are not complicated; they just require effort.
Your business associate inventory needs to exist, be current, and map not just your direct vendor relationships but the subcontractor dependencies your key vendors maintain. You should know whether your billing company uses Change Healthcare, or its successor infrastructure, or a competing clearinghouse, and you should have that documented before the next disruption makes the question urgent.
Your Business Associate Agreements need to contain the provisions required at 45 CFR § 164.504(e)(2), including explicit subcontractor flow-down obligations and breach notification requirements. If the BAAs you have on file predate 2013 and haven’t been reviewed since, there is a reasonable probability they are deficient. Review them.
Your contingency plan needs to address vendor failure scenarios, not just internal system failures. That means identifying which vendors are operationally critical, what the practice-level impact of their unavailability would be, and what your interim operational posture looks like while the disruption is resolved.
And your Security Risk Analysis needs to scope vendor chain risk explicitly. Your ePHI doesn’t stop at your firewall, and your risk analysis shouldn’t either.
None of this is infrastructure work. It is documentation work. It is the kind of compliance infrastructure that converts a catastrophic event into a manageable disruption and ensures that, when OCR follows up on a breach with a request for your administrative safeguard documentation, you have something to show them.
Change Healthcare was a signal. Whether your practice received it is now part of your compliance record.
Recent Articles – Will Evertsen 
GlobalRPh Articles
Integrative Perspectives on Cognition, Emotion, and Digital Behavior
