Change Healthcare disruption revisited

A ransomware attack on Change Healthcare in February 2024 froze a key payment and claims hub, cutting into pharmacy, hospital and doctor-office operations across the United States. (sec.gov) UnitedHealth Group said it detected the intrusion on February 21, 2024 and isolated affected Change Healthcare systems the same day to contain the attack. Change is part of Optum, which is owned by UnitedHealth Group. (sec.gov) Change Healthcare handles the back-end traffic of U.S. medicine: insurance eligibility checks, claims routing, payment processing and pharmacy transactions. When those systems went dark, the disruption spread from one vendor into thousands of providers and patients. (cms.gov) By mid-March 2024, the American Hospital Association said 94% of hospitals responding to its survey reported financial harm, 82% reported cash-flow problems and 74% reported direct patient-care impact. The survey covered nearly 1,000 hospitals between March 9 and March 12. (aha.org) The American Medical Association said physician practices also took a hit. In an informal survey of more than 1,400 respondents collected from March 26 to April 3, 2024, 80% said they lost revenue from unpaid claims and 85% said the attack affected timely patient care. (ama-assn.org) Federal health officials treated the outage as more than a billing problem. The Centers for Medicare and Medicaid Services said on March 6, 2024 that the attack had affected pharmacies, hospitals and physician offices and had disrupted some people’s ability to get care or prescriptions. (cms.gov) The Department of Health and Human Services Office for Civil Rights opened investigations into Change Healthcare and UnitedHealth Group and said the incident raised both patient-care and privacy questions under the Health Insurance Portability and Accountability Act. The agency issued a Dear Colleague letter on March 13, 2024. (hhs.gov) UnitedHealth said on March 18, 2024 that it had advanced more than $2 billion to affected providers, then said on April 16 that support had topped $6 billion. By July 2024, the company said it had provided more than $9 billion in advance funding and interest-free loans. (unitedhealthgroup.com 1) (unitedhealthgroup.com 2) (sec.gov) The privacy fallout kept growing after the systems came back. The Office for Civil Rights said Change Healthcare told the agency on January 24, 2025 that about 130 million breach notices had been sent and about 190 million people had been affected. (hhs.gov) A year later, the American Hospital Association said the attack had shown how a strike on one “mission-critical” third-party company could endanger patient access, eligibility checks, clinical operations and provider solvency at national scale. That is why the Change Healthcare outage is still being revisited in 2026: the weak point was not one hospital, but a shared system underneath many of them. (aha.org)