Change Healthcare fallout continues
Legislative and operational aftershocks from the Change Healthcare cyberattack are still unfolding, leaving organizations and individuals exposed to disruptions in prescriptions, claims and care coordination. Observers warn that the attack’s consequences remain a workstream for policy and operational fixes. (pharmacytimes.com)
One ransomware attack in February 2024 did not just lock one company’s computers. It jammed a payments switch used across American health care, and pharmacies, hospitals, and doctors’ offices were still rerouting around it long after the first outage alerts went out. (pharmacytimes.com) Change Healthcare sits in the middle of the system like a toll booth for medical billing. When UnitedHealth Group took its systems offline on February 21, 2024, claims and payment traffic that normally moved in seconds started backing up nationwide. (congress.gov, unitedhealthgroup.com) The prescription side broke first for many patients because pharmacies rely on those electronic links to check coverage in real time. Pharmacy Times reported that more than 90% of the nation’s 70,000 pharmacies had to improvise electronic workarounds, while the rest went offline. (pharmacytimes.com) Doctors then ran into a simpler problem: they were treating patients but not getting paid. An American Medical Association survey of more than 1,400 respondents in late March and early April 2024 found widespread cash-flow stress as claims stalled. (ama-assn.org) Federal officials responded with emergency cash because ordinary billing had stopped moving. The Centers for Medicare & Medicaid Services launched accelerated payments in early March 2024 and later said the temporary program would close once the immediate Medicare funding crunch eased. (cms.gov) The privacy damage kept growing after the operational damage. The Department of Health and Human Services said its Office for Civil Rights opened investigations into Change Healthcare and UnitedHealth Group over possible breaches of protected health information and compliance with federal privacy rules. (hhs.gov) By 2026, the fallout had moved into courtrooms as well as clinics. Iowa Attorney General Brenna Bird sued Change Healthcare, Optum, and UnitedHealth Group on March 31, 2026, alleging the 2024 attack exposed data from 192.7 million Americans, including about 2.2 million Iowans. (iowaattorneygeneral.gov) Congress has treated the attack as a warning about concentration as much as cybersecurity. A Congressional Research Service brief and House Energy and Commerce Committee scrutiny both focused on how one clearinghouse became important enough that one shutdown could disrupt care nationwide. (congress.gov, energycommerce.house.gov) The policy response is now shifting from emergency patches to harder rules. In December 2024, the Department of Health and Human Services proposed changes to the Health Insurance Portability and Accountability Act security rule that would require stronger cybersecurity steps for health plans, clearinghouses, and many providers. (hhs.gov) That is why the story is still alive two years later. The computers came back in stages, but the bills, investigations, lawsuits, provider loan disputes, and rulemaking calendar kept moving long after the first servers were restored. (finance.senate.gov, pharmacytimes.com)
