On Feb. 21, 2024, the Russian ransomware group ALPHV, also known as BlackCat, launched a crippling cyberattack on Change Healthcare, encrypting and disabling large portions of its operations. As the largest clearinghouse for medical claims in the U.S., Change Healthcare processes nearly 15 billion transactions annually, interacting with one in three patient records. The attack sent shockwaves through the healthcare industry, disrupting care delivery and threatening the financial stability of hospitals nationwide.
“While we were not directly compromised, the disruption to Change Healthcare’s services affected critical operational and financial processes, particularly in revenue cycle management and claims processing,” Muhammad Siddiqui, CIO of Richmond, Ind.-based Reid Health, told Becker’s. “Like many health systems, we had to pivot quickly to mitigate disruptions, ensuring that patient care remained our top priority while addressing financial bottlenecks caused by delays in claims and payment processing.”
Mr. Siddiqui said the immediate response required a coordinated effort across Reid Health’s IT, finance and clinical teams to maintain operations. While contingency plans helped sustain care, financial repercussions—such as delayed reimbursements—took time to resolve.
“Full recovery extended beyond the initial outage as we worked through backlog issues and assessed long-term risk mitigation strategies,” he said. “Some payer contracts even required renegotiation due to delayed reimbursements.”
The financial and operational impact of the attack was widespread. A March 2024 survey by the American Hospital Association revealed that 74% of hospitals experienced direct patient care disruptions, including delays in authorizations for medically necessary treatments. Financial fallout was significant, with 94% of hospitals reporting economic strain and 33% saying the attack disrupted more than half of their revenue. Recovery was slow, as 60% of hospitals required anywhere from two weeks to three months to fully restore normal operations after Change Healthcare’s systems were reinstated.
“The Change Healthcare attack remains the most significant and consequential cyberattack against U.S. healthcare in history,” John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, told Becker’s.
Beyond the immediate disruption, many providers faced ongoing financial and operational challenges.
“We understand that there were revenue disruptions for many providers which lasted for months as many struggled with unfamiliar or inefficient work-around processes, which led to subsequent claims denials and continuing delayed reimbursements,” Mr. Riggi said. “Additionally, providers electing to utilize Change once again after the clearinghouse systems were verified as secure needed to expend considerable time and resources in reconnecting to the servers, as many had to essentially start from square one.”
The breach also had lasting implications for patients.
“For 190 million Americans, whose protected health information was stolen during the attack, the effects and risk could linger for years,” Mr. Riggi said. “The exposure of their sensitive health information is very concerning for privacy and security reasons. For example, it could also lead to increased risk of identity theft or other financial crimes committed in their names.”
The incident underscored how a disruption to one key player could ripple across the entire healthcare system, jeopardizing financial stability and patient care on a national scale.
“It has become crystal clear that the concentration of systemic mission-critical services and aggregation of a vast amount of protected healthcare information at Change created enormous risk,” Mr. Riggi said. “The lack of the availability of their market-dominant clearinghouse services such as prescription services, health insurance verifications, prior authorizations, claims and other revenue cycle services created widespread disruption for healthcare providers and patients.”
In response to the incident, Reid Health has since diversified its clearinghouse partnerships, implemented stricter vendor oversight—including requiring subcontractor disclosures and rigorous cybersecurity audits—and strengthened its internal security protocols with multifactor authentication, network segmentation and real-time threat monitoring.
But has healthcare learned from the incident? While the industry has taken steps to address cybersecurity risks, more work remains, according to Mr. Siddiqui.
“This event was a wake-up call, but systemic change requires stronger collaboration between healthcare providers, vendors and regulatory agencies,” he said. “Proactive cybersecurity measures, more stringent vendor accountability and improved response frameworks must remain top priorities to prevent a repeat of this crisis.”
Mr. Riggi echoed the need for long-term industry-wide improvements.
“This attack created an urgency for healthcare organizations to review their third-party risk management programs and to identify mission-critical and life-critical service providers, and to build in redundancy and resiliency for those services where they can,” he said.
However, implementing redundancy measures is not always straightforward.
“Although many healthcare organizations seek to avoid ‘exclusivity clauses’ from clearinghouses, it is not a simple matter to have an alternate standing by,” Mr. Riggi said. “To have a backup clearinghouse in place to avoid the issues experienced with Change may come with a hefty price tag. It may also be impractical since some HIPAA transactions only allow one registration with a health plan for particular transactions.”
Moving forward, Mr. Riggi emphasized that clearinghouses must take greater responsibility in ensuring their own cybersecurity.
“It must be the obligation of the clearinghouses to ensure they have reliable, redundant and resilient systems in place to prevent and recover from cyberattacks,” he said. “The AHA has also been working with other healthcare sector organizations to identify systemic, mission-critical technologies, service providers and supply chains. The goal of the project is to understand the impact a loss of those services would have on the sector and to develop joint healthcare sector and government incident response plans.”