The ransomware attack that knocked Change Healthcare offline in late February exposed a basic truth about modern healthcare infrastructure. A handful of back-end platforms now sit behind the day-to-day operations of hospitals, clinics and pharmacies. When one of those platforms fails, the failure is systemic, fast, and expensive.

What happened is straightforward. On Feb. 21, 2024 a sophisticated ransomware operation targeted Change Healthcare, the UnitedHealth Group unit that processes a huge share of U.S. healthcare transactions. The company shut systems to stop the intruder and isolate the incident. The outage quickly cascaded into pharmacies that could not verify insurance, clinics that could not process claims or prior authorizations, and hospitals forced to switch to slow, manual workarounds. The disruption was national in scope and prolonged.

Why this mattered beyond invoices and annoyed administrators is simple. Change Healthcare is not a boutique vendor. It is a plumbing provider for the entire claims and payment ecosystem. Multiple reputable observers estimated that the company handles a substantial slice of transactions that keep money and authorization flowing to providers. Providers that rely primarily on Change found themselves unable to file claims or receive payments, shifting large volumes of revenue to manual processes or putting it on hold until systems were restored. That concentrated dependency turned a single breach into a systemwide shock.

Operational impacts were immediate and measurable. Pharmacies reverted to fax and phone, often asking customers to pay cash. Hospitals reported delays in prior authorizations and in some cases delayed discharges or elective procedures. The American Hospital Association, speaking to hundreds of hospitals in early March, reported widespread patient-care and financial impacts. The AHA described the incident as among the most significant cyber events the health sector has seen, with a large majority of surveyed hospitals reporting direct operational or financial harm. Those are the consequences of a critical service going dark.

The second critical fact is how the extortion played out in the ransomware ecosystem. Security researchers and blockchain analysts observed a 350 bitcoin transaction on March 1 tied to a wallet associated with the ALPHV/BlackCat operation. An affiliate on a criminal forum claimed the payment and then publicly complained about not receiving an expected cut, which in turn produced open-source trail evidence tying the payment to the Change Healthcare incident. That chain of public signals strongly suggested that attackers had been paid to restore access or to stop publishing stolen data. Regardless of who ultimately received the funds, the episode illustrated how quickly a crisis can move from incident response to negotiation and payment in the shadow economy.

Plain reality for operators is this: critical dependencies plus an adversary that knows how to weaponize them equals systemic risk. That equation has three immediate implications for both private and public actors.

First, eliminate single points of failure in critical functions. Providers and payers must map which third-party services are essential to clinical operations and revenue cycle continuity. If eligibility verification, prior authorization, e-prescribing or clearinghouse processing all run through one vendor, assume those functions can be rendered unavailable and plan accordingly. Alternate routing, secondary clearinghouses, and tested manual fallbacks are not optional exercises. They are mission-critical resilience tasks.

Second, assume trust is fragile. The public evidence trail around the ransom payment shows the criminal ecosystem can and will monetize a major outage quickly. Payment or no payment, exfiltrated data can be copied and republished by affiliates or rival groups. Organizations need hardened incident response plans that include containment, forensic validation, legal and regulatory playbooks, and prearranged communications strategies. They also need contractual clauses with vendors that bind them to resilience standards and rapid support obligations.

Third, the regulatory and financial backstops are inadequate for incidents at this scale. The AHA and other stakeholder groups pressed for government action because prolonged outages endanger patient care and threaten provider solvency. That is a policy problem as much as a cybersecurity one. Government agencies should treat nationwide clearinghouses as critical infrastructure and require minimum standards, reporting, and redundancy. At a minimum, federal guidance and incentives should push for segmentation, mandatory incident reporting, and financial mechanisms that prevent a single vendor failure from cascading into closures or layoffs.

What organizations should do now, in practice:

  • Inventory and prioritize. Identify the services that, if disrupted, will immediately impair patient care or cash flow. Treat them like power and water infrastructure. Rehearse failure modes and manual workarounds.

  • Add redundant paths. Where practical, contract with backup clearinghouses or alternate payment processors and verify they can be switched to in hours, not weeks.

  • Harden vendor controls. Require vendors to demonstrate multi-layered access controls, timely patching, intrusion detection, and independent third-party audits. Insist on contractual SLAs that include support for catastrophic failovers.

  • Fund continuity. Large payers and vendors should create rapid liquidity mechanisms so providers do not have to borrow at high rates to survive an outage. If private plans can suspend claims flows, they can and should stand up emergency payment programs to protect payroll and supplies.

  • Coordinate publicly. The federal government should designate the clearinghouse ecosystem as critical and publish baseline security and continuity standards. Public-private exercises should simulate vendor-level outages and test the national response.

The Change Healthcare incident is not a unique anomaly. It is a warning. Healthcare has centralized many fragile functions because centralization reduces cost and friction in normal times. Centralization also concentrates risk. If the sector wants the efficiency gains, it must accept the cost of resilience. That cost is not optional. It is the price of running a system where human lives depend on invisible IT plumbing.

Act like it.