More Than a Year After the Change Healthcare Attack: What Have We Learned?

On February 21, 2024, the healthcare industry received a major wake-up call when Change Healthcare reported a cybersecurity breach that caused prescription delays for numerous pharmacies. In the weeks and months that followed, many healthcare organizations struggled with cash flow, pushing some toward bankruptcy. UnitedHealth Group shared with TechCrunch on January 24 that it had determined the estimated total number of individuals impacted by the Change Healthcare cyberattack to be approximately 190 million. The cost related to the breach reached $3.1 billion, which UnitedHealth Group announced on January 16 when it released its financial results. Several health organizations filed lawsuits against UnitedHealth Group.

Before the New Year, Healthcare Innovation reported that cybersecurity experts predicted attacks would become more sophisticated, including the use of artificial intelligence (AI). Is the healthcare sector taking steps to protect itself? And if so, what are they doing?

In an interview with Healthcare Innovation, Dave Bailey, VP of Security Services at Clearwater, confirmed that the breach was a shock to the sector. This has led to a greater level of awareness. “I hope we're not losing that momentum a year later,” he noted. “I think that many organizations have been doing their best based upon the resources available to them to shore up protections, as well as plans, and their ability to respond to such a disruptive event.”

Bailey does believe the industry has learned from the event. “We're really good at being able to identify what's wrong, the ability to fix it, and to improve and continue to improve.” “We've come out with a lot of lessons learned, and we're trying to do a lot of things to raise awareness and make changes that are effective.” However, Bailey added, “I think we have a long way to go.” We need to make sure, Bailey advised, that we can minimize the impact of a ransomware attack. We need to make sure we can recover quickly.

Keep in mind, Bailey said, “Hospitals are operating on very small margins, so they have to be very specific in their spending and getting cybersecurity to the front center of that and making the investments that are needed.” Also, “There are major challenges for smaller to mid-size organizations. They have to operate as enterprises, no different than the larger companies, but they don't have the same amount of people, expertise, and resources.”

“There's so much good information and guidance out there. You have to understand the adversary, and there's enough information out there to know what the adversary is doing,” Bailey pointed out.

Bailey is a strong advocate for the idea that an organization should align its security program and practices with a recognized framework. He recommends 4D and 5D frameworks, specifically for healthcare.

Additionally, the industry needs to be able to patch things more quickly than it does today, Bailey remarked. “I think the industry can go a long way in preventing some of the attacks that are happening today, just by better protecting identity and people and patching their stuff quicker.” Some organizations use legacy equipment or are behind on patches. This is something that threat actors take advantage of, Bailey cautioned.

Meanwhile, Reps. Brian Fitzpatrick (R-PA) and Jason Crow (D-CO) introduced the Healthcare Cybersecurity Act to help healthcare providers better respond to cyber threats. The initiatives are designed to enhance coordination at the federal level, enabling government agencies to respond promptly to cyberattacks. The Healthcare Cybersecurity Bill would require the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Health and Human Services (HHS) to collaborate on improving cybersecurity in both the healthcare and public health sectors, James Coker with Infosecurity Magazine reported.

“We’re seeing rising evidence of cyberattacks against our healthcare systems,” Sen. Mark Warner (D-VA) posted on X earlier this month. “I’ve been raising the alarm about this for years – these novel threats have the potential to kneecap our hospitals and delay lifesaving care, and we need to be ready to face them.”

While cyber threats have been an ongoing topic nationwide, President Donald Trump’s fiscal 2026 budget proposal indicates a $491 million cut from the CISA budget. This represents a nearly 17 percent reduction from the agency’s $3 billion budget, CyberScoop’s Tim Starks reported on May 2. Top officials from CISA have reportedly been leaving the agency.

Back in March, at the HIMSS 2025 conference in Las Vegas, Healthcare Innovation’s Pietje Kobus attended several panels related to cybersecurity, where the Change Healthcare breach continued to be a topic of much discussion. The breach was called a game-changer. Experts reiterated the need for organizations to have an incident response plan ready.

The healthcare sector remains a target for threat actors; that's clear. Organizations are continuing to learn from last year’s wake-up call and are researching and implementing solutions to minimize the impact of future attacks. “We are making progress, but we must do more to stay ahead of today’s evolving threats and to be prepared for future threats,” a report by HIMSS, the 2024 healthcare cybersecurity report, stated.