Limited offer: Get 80% off your first year. Auto-applied at checkout.See pricing Promotion details unavailable.

Awareness article

Change Healthcare Breach Lessons

A case study of the February 2024 Change Healthcare cyberattack and the specific compliance and operational gaps it exposed for small medical practices.

Short answer

The February 2024 ransomware attack on Change Healthcare disrupted prescription processing, prior authorizations, and claims submission for thousands of provider offices. HHS responded with guidance directing covered entities to reassess their vendor dependencies and incident response plans. Small clinics dependent on a single clearinghouse or billing vendor are exposed to the same category of risk.

In February 2024, a ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, disrupted one of the largest healthcare payment processing networks in the United States. The incident affected prescription processing, prior authorizations, claims submission, and eligibility verification for provider offices across the country.

For small clinics, the attack was not a distant enterprise problem. It was a direct operational failure affecting practices that depended on Change Healthcare or its downstream network for daily billing and prior authorization tasks.

What happened

The attack began on February 21, 2024. Change Healthcare took its systems offline in response, causing immediate disruption to services that process an estimated one-third of all US healthcare transactions. Pharmacies could not verify insurance for prescriptions. Provider offices lost the ability to submit claims electronically or receive prior authorization responses.

HHS issued a statement on February 29, 2024 acknowledging the scope of the incident and directing its components, including OCR and the Centers for Medicare and Medicaid Services, to take steps to support affected providers. Post-incident reporting, including testimony before Congress, identified the absence of multi-factor authentication on certain remote access systems as a factor in the initial intrusion.

What HHS and OCR said

OCR published a Dear Colleague letter that was direct about covered entity obligations. The key points:

  • Covered entities retain their HIPAA compliance responsibilities even when a business associate is the party that suffered the breach.
  • If Change Healthcare could not complete breach notifications to affected individuals within the required timeframes, covered entities should consider whether they needed to send those notifications themselves.
  • Covered entities should review their BAAs with Change Healthcare and any substitute vendors brought in during the outage to confirm that HIPAA-required provisions were in place.
  • Incident response plans should specifically address what the clinic does when a critical BA goes offline.

OCR also clarified that it would exercise enforcement discretion in certain areas for providers significantly affected by the outage, but did not waive breach notification obligations.

What small clinics should take away

Single-vendor concentration is a compliance risk, not just a business risk. A clinic whose entire claims operation runs through one clearinghouse has no fallback if that clearinghouse is offline for days or weeks. The Change Healthcare outage lasted long enough that many clinics could not submit claims or receive reimbursement for an extended period. Incident response plans that do not address BA outages are incomplete.

BAAs must exist for every BA. Some clinics affected by the outage were using services connected to Change Healthcare indirectly through billing vendors. If a BA subcontracts to another entity that touches PHI, the subcontractor is also a BA and requires a BAA. Tracking this dependency chain is a basic requirement under 45 CFR 164.314.

MFA is not optional. HIPAA’s Security Rule does not mandate MFA by name, but the access control standard at 45 CFR 164.312(a)(2)(ii) requires entities to assign a unique user name to each user and establish controls for emergency access. Risk analysis must evaluate authentication controls. A risk analysis that concludes MFA is not required for remote access to PHI-bearing systems will face scrutiny after an incident.

Notification obligations stay with the covered entity. When a BA is breached, the covered entity does not get to assume the BA will handle notifications. The BA has an obligation to notify the covered entity under 45 CFR 164.410. The covered entity then has its own obligation to notify affected individuals within 60 days of discovery. A clinic that waited for Change Healthcare to complete notifications without independently tracking its obligations may have missed its window.

What a prepared clinic looks like

A clinic that came through the Change Healthcare incident with a defensible posture likely had:

  • a current BAA on file for Change Healthcare and every billing vendor
  • a vendor dependency list it actually maintained
  • a written incident response plan that addressed a BA outage scenario, even at a high level
  • at least one backup billing or claims submission path identified before the outage occurred

Most small clinics did not have all four. The incident was a stress test, and the results were public.

Related: the four-factor breach risk assessment and HIPAA breach notification timelines.

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current limited offer details.

Incident Response

How to determine whether an incident is a reportable breach, document the analysis, and meet notification obligations.

HIPAA Breach Statistics 2025: Patterns Every Clinic Admin Should Know

HIPAA breach statistics 2025: breach type trends from the OCR portal, what small clinics can learn from large breach patterns, and where prevention...

The HIPAA Wall of Shame: What the HHS Breach Portal Shows

HIPAA wall of shame explained: what the HHS OCR breach portal shows, how breach type categories work, and how to use public breach data to reduce your...

Sources

FAQ

Questions related to this topic

Did Change Healthcare notify affected patients?

UnitedHealth Group, Change Healthcare's parent company, began notifying affected individuals and covered entities consistent with the HIPAA Breach Notification Rule. HHS guidance directed that if Change Healthcare could not complete notifications in the required timeframe, covered entities should take steps to notify affected patients themselves. Notification obligations under 45 CFR 164.404 apply to the covered entity, not only the BA.

What did OCR say covered entities should do after the Change Healthcare breach?

OCR issued guidance directing covered entities to review their business associate agreements with Change Healthcare and any substitute vendors they engaged, confirm that those agreements covered HIPAA-required provisions, and evaluate whether their incident response plans address BA outages specifically. OCR also reminded entities of their independent breach notification obligations.

Does a business associate breach automatically mean the covered entity violated HIPAA?

Not automatically. A covered entity that has a compliant BAA in place, conducted reasonable due diligence on the BA, and responds appropriately to a known breach is generally not found to have committed an independent violation. The covered entity may still have breach notification obligations, and OCR may investigate the covered entity's own safeguards separately.

What is multi-factor authentication and why did it matter here?

Multi-factor authentication (MFA) requires users to verify identity through a second factor - typically a code sent to a phone or generated by an authenticator app - in addition to a password. Public reporting on the Change Healthcare incident cited the absence of MFA on certain remote access systems as a contributing factor. HIPAA's Security Rule requires covered entities and BAs to evaluate and implement authentication controls appropriate to their risk.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.