The breach that broke the system — and what it means for your practice

On February 21, 2024, the ALPHV/BlackCat ransomware group attacked Change Healthcare, a subsidiary of UnitedHealth Group that processes approximately 15 billion healthcare transactions per year. The attack shut down the largest healthcare payment processing system in the United States for weeks. When the full scope was finally disclosed, it became the largest healthcare data breach in American history.

The numbers are staggering: more than 190 million patients affected. Over $2.8 billion in direct losses. Months of cascading disruption across the entire healthcare ecosystem. But for independent practices — the dental offices, medical groups, behavioral health clinics, and therapy centers that depend on these systems daily — the impact was not measured in billions. It was measured in missed payrolls, denied claims, and patients who could not be seen.

What happened: the breach that broke the system

The timeline

February 12, 2024: Attackers gain initial access to Change Healthcare's network using stolen credentials for a Citrix remote access portal that did not have multi-factor authentication enabled.

February 12–21, 2024: Attackers move laterally through Change Healthcare's network for nine days, exfiltrating approximately six terabytes of data before deploying ransomware.

February 21, 2024: Ransomware is deployed and Change Healthcare detects the breach. The company begins shutting down affected platforms to contain the attack.

February 22-28: The scope of the shutdown becomes clear. Change Healthcare's claims processing, payment systems, and pharmacy platforms go offline. Healthcare providers across the country cannot submit claims, process payments, or verify insurance eligibility.

March 2024: UnitedHealth Group confirms the ALPHV/BlackCat ransomware group was responsible. Reports emerge that the company paid a $22 million ransom. Despite the payment, data exfiltration had already occurred.

April-June 2024: Systems gradually come back online, but many providers report continued disruptions. Data breach notifications begin as the company assesses which patient records were compromised.

October 2024: UnitedHealth Group discloses that approximately 100 million individuals were affected — a number later revised upward to more than 190 million, making it the largest healthcare breach in U.S. history.

How the attackers got in

The initial access vector was a compromised credential — a single set of login credentials for a Citrix remote access portal that did not have multi-factor authentication enabled. One credential. No MFA. That was the entry point for an attack that would affect nearly two-thirds of the American population.

Once inside, the attackers moved laterally through Change Healthcare's network for nine days before deploying ransomware. During that time, they exfiltrated approximately six terabytes of data — patient names, addresses, Social Security numbers, insurance information, medical records, billing data, and more.

The root cause was not a sophisticated zero-day exploit or an advanced persistent threat that bypassed cutting-edge defenses. It was a missing MFA configuration on a remote access portal. A basic security control that the 2025 HIPAA Security Rule amendments would make mandatory for all covered entities.

The cascading impact on independent practices

Large hospital systems have financial reserves, dedicated IT teams, and alternative payment processing channels. Independent practices have none of these.

When Change Healthcare went offline, the impact on small practices was immediate and severe:

Claims could not be submitted. For practices that depend on timely claims processing — which is nearly all of them — the shutdown meant revenue stopped flowing. Practices that live on 30-to-60-day payment cycles were suddenly looking at 90-to-120-day delays, or longer.

Insurance eligibility could not be verified. Front desk staff could not confirm whether patients had active coverage before appointments. Practices faced a choice: see patients without verification and risk unpaid claims, or turn patients away and lose revenue.

Prescription processing was disrupted. Pharmacies using Change Healthcare's systems could not process electronic prescriptions. Patients could not fill medications. Providers had to resort to paper prescriptions or phone calls to pharmacies — workflows that many newer practitioners had never used.

Payroll was at risk. For small practices operating on thin margins, several weeks without claims payments created immediate cash flow crises. Reports emerged of practices unable to make payroll, pay rent, or cover operating expenses.

Patient data was exposed. Beyond the operational disruption, the breach exposed the personal and medical information of patients who had done nothing more than receive care from a provider that used Change Healthcare's systems. Those patients — more than 190 million of them — now face the permanent risk of identity theft, insurance fraud, and targeted social engineering.

3 key lessons for small healthcare providers

Lesson 1: Vendor dependency is a single point of failure

The Change Healthcare breach demonstrated that a single vendor failure can shut down an entire practice. Most independent practices do not think of their billing clearinghouse as a cybersecurity risk. But when that clearinghouse processes your claims, stores your patient data, and verifies your patients' insurance, it holds the keys to your operation.

What to do: Identify every vendor your practice depends on for critical operations — claims processing, EHR, email, cloud storage, scheduling. For each one, ask: what happens if this vendor goes offline for 30 days? If the answer is "we cannot operate," you need a contingency plan.

Map your vendor dependencies using the ePHI data flow mapper. Know where your data goes, who holds it, and what alternatives exist.

Lesson 2: Contingency planning is not optional

HIPAA requires a contingency plan (Section 164.308(a)(7)). Most practices treat this as a documentation exercise — a policy that sits in a binder and never gets tested. The Change Healthcare breach showed what happens when contingency plans do not exist or have never been rehearsed.

What to do: Build a contingency plan that addresses specific scenarios: billing system goes offline, EHR is unavailable, internet is down, primary vendor is compromised. For each scenario, document:

• Who makes the decision to activate the contingency plan
• What alternative systems or processes will be used
• How patients will be communicated with
• How long the practice can operate in contingency mode before financial impact becomes critical
• What triggers the return to normal operations

Test the plan at least once a year. A contingency plan that has never been rehearsed is not a plan — it is a hope.

Lesson 3: "It will not happen to us" is not a security strategy

Many independent practices assume that cyberattacks target large organizations. The Change Healthcare breach proves the opposite: the attack targeted a large organization, but the damage cascaded to the smallest practices in the system. Your practice does not need to be the direct target to suffer the full consequences of a breach.

Beyond vendor-mediated risk, independent practices are increasingly targeted directly. Attacks on small healthcare providers have risen 6x since 2021. Medical records are worth $280 to $310 per record on the dark market — 10 times the value of a stolen credit card. A practice with 2,000 patient records is sitting on data worth over half a million dollars to an attacker.

The question is not whether your practice will face a cyber threat. It is whether your practice will be prepared when it does.

What the Change Healthcare breach means for HIPAA compliance

The breach accelerated regulatory momentum that was already building. The proposed HIPAA Security Rule amendments — including mandatory MFA, required encryption, and technology asset inventories — are a direct response to the systemic failures the breach exposed.

For independent practices, the message is clear: the compliance baseline is rising. What was considered adequate two years ago is no longer sufficient. The practices that invest in compliance infrastructure now will be positioned to meet the new requirements. The ones that wait will face the combined pressure of a tightening regulatory environment and an escalating threat landscape.

The breach dashboard tracks healthcare breach activity and enforcement actions in real time. The research published through the Secure Care Research Institute provides deeper analysis of the threat landscape and its implications for independent providers.

Healthcare breaches cost an average of $9.8 million per incident. The Change Healthcare breach cost more than $2.8 billion and counting. And 35 to 40 percent of small breached practices close within two years.

The Change Healthcare attack was not an anomaly. It was a preview. The question for every independent practice is whether the lessons will be learned before or after the next one hits closer to home.