Change Healthcare fallout grows

The Change Healthcare cyberattack has grown from a billing outage into the largest known health-data breach in U.S. history, with about 190 million people affected. (hhs.gov) UnitedHealth said it detected the intrusion on February 21, 2024, inside Change Healthcare systems and cut affected networks off from the rest of its operations to contain the attack. Congress hauled in Chief Executive Officer Andrew Witty for Senate and House hearings on May 1, 2024. (sec.gov) (finance.senate.gov) (congress.gov) Federal health officials said on March 13, 2024, that the outage was disrupting care and billing systems nationwide and opened a Health Insurance Portability and Accountability Act investigation into Change Healthcare and UnitedHealth. The Office for Civil Rights said its review would focus on whether protected health information was exposed and whether the companies complied with federal privacy and security rules. (hhs.gov) Change is a clearinghouse, a middleman that routes claims and payments between doctors, hospitals, pharmacies, and insurers. The Treasury Department’s Office of Financial Research called it the largest medical claims clearinghouse in the United States and said the outage disrupted payment flows across healthcare. (financialresearch.gov) That concentration showed up fast in clinics and pharmacies. The American Medical Association said Medicare opened advance-payment relief in March 2024, and physician surveys found unpaid claims, delayed submissions, and eligibility checks hitting practices’ cash flow. (ama-assn.org) Hospital groups said the attack threatened provider solvency as claims processing and clinical operations stalled. The American Hospital Association said the disruption endangered access to care and exposed weak cyber preparedness across the sector. (aha.org) The breach count itself kept climbing. HHS said Change Healthcare had sent notices tied to about 130 million people by January 24, 2025, and that roughly 190 million individuals were impacted overall. (hhs.gov) The fallout did not end when systems came back online. CNBC reported on April 11, 2025, that UnitedHealth was pressing doctors to repay no-interest emergency loans issued during the outage, with some practices told to return hundreds of thousands of dollars on short notice. (cnbc.com) Two years on, the Change attack is still being measured in missed payments, federal investigations, and breach notices landing in mailboxes. The central fact has not changed: one hit on a single processor was enough to jam billing and care operations across the country. (hhs.gov) (financialresearch.gov)