HHS Increases Oversight of Healthcare Third-Party Vendor Cybersecurity After Change Healthcare Breach
The US Department of Health and Human Services (HHS) is increasing scrutiny of third-party service provider cybersecurity in the healthcare sector following the 2024 Change Healthcare cyberattack, which HHS officials describe as having threatened the “liquidity” of the broader healthcare system. HHS’s Charlee Hess (Administration for Strategy Preparedness and Response) said the incident exposed previously underappreciated systemic risk from external vendors that can have outsized sector-wide impact, and noted HHS is working through a methodology—alongside industry—to identify where those critical third-party dependencies and risk concentrations exist.
Reporting reiterated that the Change Healthcare intrusion began with attackers exploiting the lack of multi-factor authentication (MFA) on a remote access portal and ultimately exposed data affecting roughly 190 million people. The breach has also driven broader government and industry responses, including proposals for mandatory cybersecurity requirements on hospitals (which healthcare organizations have opposed as burdensome, arguing the Change Healthcare compromise originated with an external vendor) and remediation actions by UnitedHealth Group (Change Healthcare’s parent) to “start over” on aspects of its systems and technology environment.
Related Entities
Organizations
Sources
Related Stories
Healthcare Sector Systemic Risk Exposed by Change Healthcare Ransomware Attack
The **Change Healthcare ransomware attack** exposed how a compromise at a single, highly concentrated third-party provider can trigger **systemic disruption** across the U.S. healthcare sector. Erik Decker, CISO of Intermountain Health and co-chair of a federal healthcare cyber advisory committee, said the incident disrupted clinical and billing operations for thousands of organizations for months and demonstrated that healthcare entities must identify which external vendors support **critical patient-care and operational functions** such as pharmacy, imaging, and laboratory services. He pointed to the Health Sector Coordinating Council's **SMART** toolkit as a way for organizations to map vendor dependencies and identify market concentration risk before a single supplier failure cascades across the ecosystem. Broader reporting on **supply-chain and third-party compromise trends** reinforces the same underlying risk pattern, showing attackers increasingly target trusted vendors, integrations, and dependencies rather than directly attacking a single victim's perimeter. IBM reported that major supply-chain and third-party breaches have risen sharply over the past five years, with adversaries exploiting interconnected systems, valid credentials, cloud services, APIs, and software dependencies to gain downstream access. Together, the reporting shows that the Change Healthcare incident was not an isolated operational failure but a high-impact example of a wider threat model in which **trusted external relationships become the attack path and the force multiplier for business disruption**.
4 days ago
Healthcare Sector Data Breach Disclosures Expand Victim Counts Across Multiple Incidents
Multiple healthcare-related breach disclosures expanded significantly, led by *TriZetto Provider Solutions* reporting to regulators that **3,433,965** people were affected after an attacker used a web portal to access historical eligibility reports containing sensitive data (including **SSNs** and insurance information). Separately, *Conduent Business Services* told Wisconsin regulators that its incident now impacts **“25 million-plus”** people nationwide; the Xerox spinoff had previously reported **~15.5 million** affected in Texas, prompting an investigation by Texas AG Ken Paxton, while reporting noted the event is still smaller than the largest U.S. health-data breach on record. Reporting on the *Change Healthcare* ransomware incident reiterated that UnitedHealth estimated roughly **190 million** people were affected, with congressional testimony attributing initial access to a **Citrix remote access portal lacking MFA**, followed by data theft and ransomware deployment; reporting also cited a **$22 million** ransom payment. In the Asia-Pacific region, a separate healthcare privacy incident involving New Zealand’s *ManageMyHealth* patient portal was cited as exposing data from **~120,000** people, and was used to underscore governance, access control, and third-party oversight gaps as recurring drivers of healthcare-sector exposure.
2 weeks agoImpact and Response to the Change Healthcare Ransomware Attack
A ransomware attack on Change Healthcare, a major processor of health insurance claims, exposed the personal health information of over 190 million people and caused widespread disruption across the U.S. healthcare system. Hospitals and clinics were unable to process claims or receive payments, leading to severe cash-flow crises that threatened their operations. In response, the Centers for Medicare and Medicaid Services implemented the Change Healthcare/Optum Payment Disruption Accelerated and Advance Payment program, providing $3.3 billion in emergency relief, though only 11% of hospitals received funds, with rural and unaffiliated hospitals being less likely to benefit. Research from the University of Minnesota analyzed the effectiveness of this relief program and highlighted areas for improvement in future emergency funding responses. The American Hospital Association reported that the Change Healthcare incident was the largest single healthcare data breach in recent years, accounting for the majority of the 259 million records compromised in 2024. The breach underscored the vulnerability of healthcare data, particularly when stored unencrypted and managed by business associates rather than hospitals themselves. The incident has prompted calls for improved asset inventories, better tracking of business associates, and stronger data protection measures to mitigate the risk of similar large-scale breaches in the future.
3 months ago