The Change Healthcare hack wasn’t just a breach—it was a wake-up call
"The US healthcare system is broken" is not an uncommon phrase. With no universal healthcare coverage, administrative inefficiencies, and an under-resourced primary care system, it's so bad that falling ill could very well bankrupt a citizen.
In addition to tackling their systemic challenges, the healthcare industry also has to tackle an even worse enemy, in the form of cyberattacks. Hackers are increasingly exploiting the dysfunctional and inefficient cybersecurity systems in place, launching larger and more frequent attacks with alarming ease. Healthcare institutions are constantly struggling to fight back against security breaches. The recent addition to that long list is the Change Healthcare data breach. It is incidentally also the largest healthcare breach ever reported in the United States.
So, let's look briefly at what happened with the Change Healthcare breach, what you can learn from it, and how we can prevent such attacks, going forward.
What went wrong at Change Healthcare?
In February 2024, Change Healthcare—a subsidiary of UnitedHealth Group (UHG) and one of the largest health payment processors—suffered a massive ransomware attack. Hackers used compromised credentials to log into the Citrix portal (a remote access service) exploiting the absence of multi-factor authentication (MFA) protocols. They moved laterally within the system, stole sensitive data—including names, Social Security numbers, and medical records—then deployed ransomware that shut down over 100 critical software systems. The breach disrupted thousands of hospitals and medical practices, delaying patient care and financial operations for months.
The BlackCat (ALPHV) ransomware group was behind the attack, to which UHG reportedly paid a $22 million ransom. However, the stolen data was not deleted, and two months later, another group, Ransomhub, claimed possession of it, leaking samples online, and demanded a fresh ransom. It's still unclear if the second ransomware was paid.
The breach is expected to have cost over $2.9 billion in recovery expenses, legal fees, and settlements, highlighting severe vulnerabilities in healthcare cybersecurity.
How the attack exposed America's fragile healthcare system
The Change Healthcare attack highlights deeper systemic failures in the American healthcare system.
Profit-driven healthcare prioritizes cost-cutting over vital security measures, leading to under staffing, outsourcing, and using outdated systems to handle sensitive data.
The growing monopolization of healthcare infrastructure creates systemic fragility, where an attack on a single company can disrupt the entire system.
Federal cybersecurity mandates, including HIPAA, remain insufficient and primarily reactive, without enforcing proactive security measures.
Bureaucracy takes the front seat over direct patient care, as it's evident that healthcare operations can be paralyzed just by attacking the billing and insurance processing systems.
A wake-up call to reevaluate your organization's cybersecurity state
While governments, regulatory bodies, and other authorities continue to work to bridge these systemic gaps that created the vulnerabilities in the first place, the bigger question remains: what do you do until then?
Well, for starters, you can start by bolstering your existing IT infrastructure. Regardless of the size of the organization or whether they have undergone a merger (like Change Healthcare), regular security risk assessments—particularly for data protection—are essential.
Our printable infographic on "Healthcare data security: Challenges, costs, and safeguards" sheds light on the rampant increase of cyberattacks in the healthcare industry, what data threats you need to be on the look out for, and how you can prevent cyberattacks—or at the very least, better prepare to respond to cyber threats.
What will you learn from this infographic?
Importance of data security in healthcare
The cost of a healthcare data breach
What makes securing healthcare data hard?
The top 5 threats to the healthcare industry
