AHA report reveals ongoing risks from the Change Healthcare breach

On February 19, 2025, the American Hospital Association (AHA) released a report analyzing the lessons learned from the February 2024 cyberattack on Change Healthcare.

What happened 

The report discusses the unprecedented disruption caused by the attack, which impacted clinical and eligibility operations, threatened the financial solvency of healthcare providers, and endangered patient access to care nationwide. One of the report's main findings is that third-party cyber risk remains the most disruptive cyber threat to healthcare organizations. 

The report outlines specific actions healthcare organizations can take to mitigate cyber risks, including strengthening incident response planning, enhancing vendor security protocols, and improving system redundancies. To support hospitals and providers, the report also compiles resources from the AHA and federal agencies designed to help organizations bolster their cybersecurity defenses and reduce the risk of future large-scale cyberattacks.

The backstory

The Change Healthcare data breach, which occurred in February 2024, stands as the largest healthcare data breach in U.S. history, affecting approximately 190 million individuals. Initially, the breach was estimated to involve around 100 million people, but this figure was later revised upward as more information became available. 

The attack was attributed to the BlackCat ransomware group, which gained access to Change Healthcare's systems using compromised credentials for a Citrix server that lacked multi-factor authentication. This oversight allowed hackers to infiltrate the network and steal a substantial amount of data.

By the numbers 

1. 74% of hospitals reported direct patient care impacts, including delays in authorizations for medically necessary care.
2. 94% of hospitals reported financial impacts from the attack.
3. 33% of hospitals reported that over half of their revenue was disrupted.
4. 60% of hospitals required between two weeks to three months to resume normal operations.
5. $6.3 billion in claims value was lost in the first three weeks for 1,850 hospitals and 250,000 physicians, according to Kodiak Solutions.
   
   

What was said 

According to the report, “The cyberattack on Change Healthcare in February 2024 disrupted health care operations on an unprecedented national scale, endangering patients' access to care, disrupting critical clinical and eligibility operations, and threatening the solvency of the nation's provider network.”

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What kind of information was stolen in the breach?

The stolen data included names, addresses, Social Security numbers, health insurance information, and medical records.

Did Change Healthcare pay a ransom?

Yes, Change Healthcare paid a $22 million ransom to prevent the release of stolen data. However, the attackers performed an exit scam and did not delete the data as promised.

What assistance was provided to healthcare providers affected by the attack?

Optum introduced a temporary funding assistance program to help providers manage cash flow issues resulting from the disruption.