Tag: Zac Amos

What We Can Learn From the Change Healthcare Hack


The health care sector is no stranger to cyberattacks. Still, large incidents like the February 2024 ransomware attack on Change Healthcare are enough to shake up the industry. In the wake of such a massive breach, medical organizations of all types and sizes should take the opportunity to review their security postures.

What Happened in the Change Healthcare Cyberattack

On February 21, Change Healthcare — the largest medical clearinghouse in the U.S. — suffered a ransomware attack, forcing it to take over 100 systems offline. Many of its electronic services remained down for weeks, with full restoration taking until early April.

A week after the attack, the infamous ransomware-as-a-service gang BlackCat claimed responsibility. BlackCat was also responsible for 2021’s Colonial Pipeline shutdown and several attacks on health care organizations throughout 2023. This latest act against Change Healthcare, however, stands as one of its most disruptive yet.

Because Change and its parent company — UnitedHealth Group (UHG) — are such central industry players, the hack had industry-wide ripple effects. A staggering 94% of U.S. hospitals suffered financial consequences from the incident and 74% experienced a direct impact on patient care. Change’s services affect one in every three patient records, so the massive outage created a snowball effect of disruptions, delays and losses.

Most of Change’s pharmacy and electronic payment services came back online by March 15. As of early April, nearly everything is running again, but the financial fallout continues for many enterprises reliant on UHG, thanks to substantial backlogs.

What It Means for the Broader Health Care Sector

Considering the Change Healthcare cyberattack affected almost the entire medical sector, it has significant implications. Even the few medical groups untouched by the hack should consider what it means for the future of health care security.

1. No Organization Is an Island

It’s difficult to ignore that an attack on a single entity impacted almost all hospitals in the U.S. This massive ripple effect highlights how no business in this industry is a self-contained unit. Third-party vulnerabilities affect everyone, so due diligence and thoughtful access restrictions are essential.

While the Change Healthcare hack is an extreme example, it’s not the first time the medical sector has seen large third-party breaches. In 2021, the Red Cross experienced a breach of over 515,000 patient records when attackers targeted its data storage partner.

Health care enterprises rely on multiple external services and each of these connections represents another vulnerability the company has little control over. In light of that risk, it must be more selective about who it does business with. Even with trusted partners like UHG, brands must restrict data access privileges as much as possible and demand high security standards.

2. Centralization Makes the Industry Vulnerable

Relatedly, this attack reveals how centralized the industry has become. Not only are third-party dependencies common, but many organizations depend on the same third parties. That centralization makes these vulnerabilities exponentially more dangerous, as one attack can affect the whole sector.

The health care industry must move past these single points of failure. Some external dependencies are inevitable, but medical groups should avoid them wherever possible. Splitting tasks between multiple vendors may be necessary to reduce the impact of a single breach.

Regulatory changes may support this shift. During a Congressional hearing on the incident, some lawmakers expressed concerns over consolidation in the health care industry and the cyber risks it poses. This growing sentiment could lead to a sector-wide reorganization, but in the meantime, private companies should take the initiative to move away from large centralized dependencies where they can.

Continue reading…