The Intake

Insights for those starting, managing, and growing independent healthcare practices

Key lessons from the Change Healthcare cyberattack

Discover how the Change Healthcare cyberattack has revealed crucial cybersecurity lessons — and learn strategies to protect your practice against the ever-evolving threat of ransomware.

Key lessons from the Change Healthcare cyberattack

At a Glance

  • The Change Healthcare incident underscores the necessity of having comprehensive BCDR plans that should include data backups, recovery procedures, communication protocols, and more
  • Ransomware attacks open up the potential for regulatory penalties, lawsuits, reputational damage, and continuous extortion attempts
  • It’s crucial to have a layered security approach that includes both technical solutions and comprehensive employee training to reduce the risk of ransomware attacks

On February 21st, 2024, Change Healthcare, a significant entity within the United States healthcare system, fell victim to a ransomware attack, causing disruptions for healthcare organizations nationwide. Deemed as the most severe incident of its nature by the American Hospital Association, this cyber breach threatens a vast network managing 1 in 3 patient records and 15 billion healthcare transactions annually.

The impact extended throughout the sector, affecting approximately 800,000 physicians, 117,000 dentists, 60,000 pharmacies, 5,500 hospitals, and virtually all government and commercial stakeholders.

By actively engaging with the ongoing developments of this cyber attack, healthcare practices can extract invaluable lessons to enhance their resilience against future threats. 

This article looks at the proactive measures practices can take to safeguard patient care continuity, mitigate financial risks, and counteract potential adverse impacts on operations.

What is the Change Healthcare cyberattack?

Change Healthcare, a subsidiary responsible for managing patient records, revenue cycles, and prescriptions for Optum, fell victim to a ransomware assault orchestrated by ALPHV/BlackCat. In response, United Healthcare Group (UHG), the parent company of Optum, swiftly disconnected Change Healthcare to contain the breach. 

The repercussions of this shutdown are estimated to be disrupting over $100 million in daily provider reimbursement, potentially leading to various provider-related ramifications, such as:

  • Issues filling prescriptions
  • Unprocessed claims
  • Missing ERA 
  • Delayed provider reimbursement
  • Potential timely filing issues for impacted claims
  • Failed eligibility transactions 

A recent announcement from Change Healthcare stated that they expect to begin testing and reestablish connectivity to their claims network and software on March 18, restoring service through that week.

The attack on Change Healthcare highlights the ever-present threat of cyberattacks in the healthcare industry. What can we learn from this catastrophic event? 

Lessons learned from the Change Healthcare cyberattack

Learn key takeaways from the Change Healthcare outage to better protect your practice.

1. Business Continuity and Disaster Recovery (BCDR) plans are crucial

The Change Healthcare incident serves as a stark reminder that simply having backups isn't enough. 

Recovery from ransomware attacks may take longer than expected. Having a well-defined BCDR plan outlines the steps to take in the event of a cyberattack or other disaster. 

This plan should include:

  • Data backups and recovery procedures
  • Communication protocols for notifying stakeholders
  • Alternate methods for performing critical business functions
  • Disaster recovery testing to ensure plan effectiveness

Ransomware attacks can exploit various vulnerabilities, so a layered security approach that combines firewalls, intrusion detection systems, data encryption, and employee training can significantly reduce the risk of successful attacks.

Not all systems are equally critical. That’s why a BCDR plan should prioritize restoring the most essential functions to minimize disruption and patient safety concerns.

Optimize Operations

2. Paying the ransom is not a guaranteed solution 

The recent Change Healthcare breach offers a chilling example of why paying a ransom is a gamble with potentially devastating consequences. 

Despite reportedly paying $22 million to the ALPHV/BlackCat ransomware gang, Change Healthcare finds itself in a precarious position. Despite the massive payment, a BlackCat affiliate claims that BlackCat kept the full ransom while still retaining possession of over 4TB of stolen data from insurance companies and pharmacies.

"This leaves Change Healthcare vulnerable to regulatory penalties, lawsuits, and disastrous consequences if that sensitive data is leaked — even after paying a king's ransom. And with the disgruntled attacker controlling the data, the extortion risks remain," Jesse Salmon, Manager of Information Security at Tebra, says.

Here's specifically what Change Healthcare could be exposed to:

  • Regulatory penalties: Data breaches can trigger large fines and sanctions from regulatory bodies.
  • Lawsuits: Affected patients and partners might file lawsuits seeking compensation for compromised data.
  • Reputational damage: A public data leak could severely damage Change Healthcare's reputation and erode trust with its customers.
  • Never-ending extortion: Paying a ransom doesn't guarantee an end of an ordeal. Change Healthcare remains vulnerable to further extortion attempts. This creates a cycle of fear and uncertainty, with no clear path to resolution.

The case underscores the importance of a proactive approach to cybersecurity. Investing in robust defenses, maintaining secure backups, and having a solid incident response plan are far more effective strategies than succumbing to extortion.

3. Human error is the primary cause of ransomware attacks

While sophisticated hacking techniques exist, a surprising number of ransomware attacks exploit human vulnerabilities. Criminals keep improving at looking and appearing like normal actors.

A growing trend is an increasingly sophisticated set of identity-fraud and social engineering hacks. "Criminals are also becoming more aggressive in setting up seemingly real interactions for soliciting personal information they can use to get access to accounts," Anthony Comfort, VP of Product Management at Tebra, says.

Criminals are also becoming more aggressive in setting up seemingly real interactions for soliciting personal information they can use to get access to accounts.
Anthony Comfort, VP of Product Management at Tebra

Criminals are using AI tools to fake government IDs and other identification means. Comfort also explains another common cyberattack:

"They’ll set up email addresses that look exactly like your bank, solicit information from you by requesting you 'follow a link,' which then takes you to a website that looks exactly like your bank’s — only it is not. You’ll attempt to login and they’ll capture your username and password. You’ll even be redirected to a bank account homepage with some kind of error message. At this point, they have your username/password and can start trying those credentials on many different websites. This is also why it is important to use a different password on each site — something that a password manager makes it easy to accommodate."

This highlights the importance of following best practices — like not clicking on suspicious links and also having unique passwords for each website.

Here's some other examples of why human error plays such a significant role:

  • Phishing: These types of emails are a common tactic used by attackers. These emails often appear legitimate, tricking recipients into clicking malicious links or downloading infected attachments that unleash ransomware. This could include things like falling for phishing emails disguised as patient referrals or clicking on malicious links in appointment reminders.
  • Unintentional insider threats: Even well-meaning employees can inadvertently create openings for attackers.  Clicking on the wrong link, falling for a phishing attempt, or using weak passwords can all provide a foothold for ransomware.
  • Lack of awareness: Cybersecurity awareness training equips employees to identify and avoid common threats. Without proper training, employees may not recognize the risks associated with suspicious emails, websites, or software downloads.

Combine technical solutions with employee training

By focusing solely on complex technical defenses, practices miss a crucial element of the cybersecurity equation: the human factor. 

Effective ransomware prevention requires a layered approach that combines robust technical solutions with comprehensive employee training.  This "defense in depth" strategy significantly reduces the risk of human error becoming the entry point for a devastating attack.

Consider engaging a vendor to provide security awareness training on a recurring basis. "These services can provide comprehensive reviews of the latest learnings about different security threats and show your staff how to be vigilant for them," Comfort notes.

Stay informed on cyberattacks 

For ongoing vigilance about new cyber threats and evolving security best practices, subscribe to authoritative threat intelligence feeds and advisories from trusted sources such as:

For more tips on how to stay informed on cyberattacks, check out our guide "Physician cybersecurity: 9 tips to protect patient health records from cyberattacks."

Subscribe to The Intake:
A weekly check-up for your independent practice

Becky Whittaker, specialist SEO copywriter

Becky Whittaker is a specialist SEO copywriter with over a decade of experience and an interest in healthcare and legal marketing. Becky believes that independent practices are critical because they have more opportunities to deliver better patient care and personalize patients’ experiences. She also has a personal connection to the healthcare industry, as her sister-in-law is a pediatrician.

Get expert tips, guides, and valuable insights for your healthcare practice