Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Field
The cyberattack on Change Healthcare in February 2024 disrupted health care operations on an unprecedented national scale, endangering patients' access to care, disrupting critical clinical and eligibility operations, and threatening the solvency of the nation's provider network. It demonstrated that the national consequences of cyberattacks targeting mission-critical third-party providers can be even more devastating than when hospitals or health systems are attacked directly.
Incident Overview
Attack Target
Change Healthcare, a subsidiary of UnitedHealth Group, is the predominant source of more than 100 critical functions that keep the U.S. health care system operating. It annually processes 15 billion health care transactions — touching 1 in every 3 patient records — including insurance eligibility verification and authorization, drug prescriptions, claims transmittals and payment.
What Happened
On Feb. 21, 2024, an attack by the Russian ransomware group ALPHV BlackCat encrypted and incapacitated significant portions of Change Healthcare’s functionality.
Impact
The attack had significant care delivery and financial consequences for patients, providers and communities, endangering patients and threatening the solvency of U.S. health care providers. Every hospital in the country felt the impact, either directly or indirectly. Impacts varied depending on factors such as amount of cash reserves, vendor redundancy and reliance on Change Healthcare technology.
A March 2024 AHA survey of nearly 1,000 hospitals found:
- 74% reported direct patient care impact, including delays in authorizations for medically necessary care.
- 94% reported the attack impacted them financially.
- 33% reported the attack disrupted more than half of their revenue.
- 60% reported requiring two weeks to three months to resume normal operations once Change Healthcare’s full functionality was re-established.
Many providers were forced to seek alternate ways — including pulling from reserves or taking out private loans — to pay clinician and care team salaries, acquire necessary medicine and supplies, and pay for critical physical security, dietary and environmental services contract work. The need to rely on less efficient manual processes in place of electronic ones also added substantial administrative costs.
AHA Response
The AHA mobilized swiftly and served as a leading voice in the entire health care sector during the crisis. To facilitate collaboration, provide input and secure support, the AHA immediately engaged with top contacts at the White House, Congress, FBI, the Department of Health and Human Services (HHS) and Cybersecurity and Infrastructure Security Agency (CISA).
As UnitedHealth Group downplayed the severity of the event over the ensuing weeks, the AHA, among other actions, consistently set the record straight, informed the media and testified before Congress. These efforts ensured that Change Healthcare, not hospitals, bore responsibility for notifying patients of any data breach.
