Change Healthcare 2024: When an Invisible Intermediary Took Down a National System

What Failed

Change Healthcare operated as a clearinghouse — a transaction layer that sat between healthcare providers, insurers, and pharmacies, routing claims, eligibility checks, prior authorisations, and payment flows. Most patients had never heard of it. Most providers interacted with it every day without thinking about it. It was infrastructure so deeply embedded that its presence was invisible, and its absence was catastrophic.

On February 12, 2024, attackers accessed Change Healthcare's systems using compromised credentials on a Citrix remote access portal that lacked multi-factor authentication. They moved laterally through the environment for nine days before deploying ransomware on February 21. Change Healthcare detected the attack and took its systems offline. When it did, the transaction layer that connected a significant portion of the US healthcare system went with it.

Claims could not be submitted. Eligibility checks could not be run. Prior authorisations could not be processed. Pharmacy systems that depended on Change Healthcare for insurance verification could not complete transactions. Payment flows from insurers to providers stopped. The operational backbone of day-to-day healthcare administration was severed, and there was no immediate alternative that could absorb the volume.

Why the Impact Spread

Change Healthcare's role in the US healthcare system was not that of a typical vendor. It was market infrastructure. The distinction matters because it explains why the attack on a single company produced a national disruption.

A vendor provides a service to its customers. If it goes down, those customers are affected. Market infrastructure provides a shared transaction layer that an entire sector depends on to operate. If it goes down, the sector loses the ability to conduct core business processes. That is what happened. Providers who had no direct relationship with Change Healthcare's security posture, who had done nothing wrong, and who had no ability to influence the recovery timeline were unable to get paid, unable to verify insurance, and unable to process the administrative work that keeps a healthcare operation financially viable.

This is the specific form of concentration risk that boards and resilience leaders in every sector need to understand: the intermediary that everyone depends on but nobody controls. It exists in healthcare clearinghouses, payment processors, identity providers, DNS infrastructure, cloud platforms, and telecommunications networks. The Change Healthcare incident is the most expensive demonstration to date of what happens when that intermediary fails.

The Cash Flow Crisis

What made Change Healthcare uniquely devastating was not just the operational disruption. It was the financial pressure it created downstream.

Healthcare providers operate on thin margins. Many depend on a steady flow of insurance reimbursements to meet payroll, pay suppliers, and keep their doors open. When Change Healthcare went offline, that flow stopped. Claims that had been submitted before the attack were stuck in the system. New claims could not be processed. Providers had no visibility into when payments would resume.

The American Hospital Association repeatedly warned that providers were facing severe cash-flow pressure and operational uncertainty. Smaller practices and rural providers were particularly exposed. Some reported being weeks away from being unable to make payroll. UnitedHealth Group responded by advancing approximately $6 billion in temporary funding and loans to affected providers through an emergency assistance programme, an extraordinary measure that underscored the severity of the crisis.

This is a dimension that most resilience planning does not adequately address: the point at which an operational disruption becomes a liquidity crisis. When the systems that move money stop working, the financial impact is not deferred until the systems come back. It compounds daily. Every day without claims processing is a day without revenue, and for organisations operating on thin margins, the window between disruption and financial distress can be alarmingly short.

The Recovery That Took Nine Months

Nine months. That is how long it took for the clearing service to resume full operations. Not nine days. Not nine weeks. Nine months of degraded healthcare administration across the United States. Most incident response plans are designed around recovery timelines measured in hours or days. Change Healthcare demonstrated what happens when the actual timeline is measured in quarters.

What the Incident Exposed

The difference between a vendor and infrastructure was not understood. Change Healthcare was treated as a vendor in most provider risk assessments. In practice, it functioned as national infrastructure. The risk frameworks that categorised it did not reflect the systemic consequence of its failure. When it went down, the entire sector discovered simultaneously that their business model depended on a system they did not control, could not influence, and had no realistic fallback for.

Operational disruption became a liquidity crisis within days. The speed at which payment disruption translated into provider financial distress was faster than most continuity plans anticipated. Organisations that had never modelled a sustained interruption in revenue flow found themselves facing payroll and supplier payment decisions that no tabletop exercise had prepared them for.

The recovery timeline shattered all planning assumptions. Nine months of degraded operations is outside the scope of virtually every business continuity plan in existence. Most plans assume full recovery within days or weeks. Change Healthcare proved that a sufficiently concentrated intermediary failure can produce a recovery timeline that exceeds the entire planning horizon.

The data breach compounded the operational crisis. While providers were struggling with cash flow and degraded operations, they were simultaneously facing the largest healthcare data breach in US history. The combination of operational disruption, financial pressure, and data compromise created a compound crisis that required leadership teams to manage multiple severe consequences simultaneously — a scenario that is rarely rehearsed even in mature organisations.

The Resilience Lens

The conventional analysis of Change Healthcare focuses on the attack vector, the lack of multi-factor authentication on the Citrix portal, and the ransomware deployment. Those are legitimate cybersecurity lessons. But they are not the resilience lesson.

The resilience lesson is about what happens when an entire sector discovers, in the middle of a crisis, that it has built its daily operations on an intermediary it cannot replace, cannot fall back from, and cannot pressure to recover faster. That is the scenario that boards in every industry need to sit with: not "what if our vendor has a breach," but "what if the shared infrastructure layer that our entire sector depends on goes offline for months, and our revenue stops flowing while we wait for someone else to fix it."

Until a leadership team has faced that scenario under realistic pressure — where the financial consequences are compounding, the timeline is unknown, the data exposure is expanding, and every other organisation in the sector is experiencing the same crisis simultaneously — its resilience posture is theoretical. The Change Healthcare incident is proof that theoretical readiness is not readiness at all.

What Boards Should Be Asking

After Change Healthcare, the instinct was to review cybersecurity requirements for third-party vendors. That is necessary. It is also insufficient, because the next intermediary failure will not be prevented by better questionnaires.

• Which intermediaries in our operating model function as shared sector infrastructure rather than simple vendors, and have we mapped the downstream consequences of their extended failure?
• How many days of interrupted revenue flow can we absorb before the operational disruption becomes a liquidity crisis?
• Do we have realistic fallback capacity for our core transaction flows, and has it been tested at actual volume — not just documented?
• Has our leadership team ever practised managing a compound crisis where operational disruption, financial pressure, and data exposure are all escalating simultaneously?
• Are our recovery time assumptions based on the vendor's best-case timeline, or on our own tested ability to operate without them for an extended period?

If the honest answer to most of these is "we haven't tested it," then Change Healthcare is a direct warning. The gap between documented readiness and demonstrated readiness is exactly where organisations fail when a real event arrives — and this incident proved that the consequences of that gap can be measured in billions.

Conclusion

The Change Healthcare attack was not a black swan. It was the foreseeable consequence of an entire national healthcare system building its administrative operations on a concentrated intermediary without adequately modelling what would happen when that intermediary failed for an extended period. The attack itself exploited a single access point lacking basic security controls. The impact was $3.09 billion in direct costs, 190 million individuals' data compromised, nine months of degraded operations, and a cash-flow crisis that threatened the financial viability of healthcare providers across the country.

The lesson extends well beyond healthcare. Every sector has its own version of Change Healthcare — a shared intermediary so deeply embedded in daily operations that its failure would cascade across the entire ecosystem. Payment processors, identity providers, cloud platforms, telecommunications carriers, financial clearinghouses. The pattern is structural, not sectoral.

The organisations that will handle the next intermediary failure well are not the ones with the best vendor risk questionnaires. They are the ones whose leadership teams have already practised operating under sustained infrastructure loss, made the hard financial and prioritisation decisions, and discovered where their continuity assumptions break down — before a real event proved those assumptions wrong in public.