HHS Increases Oversight of Healthcare Third-Party Vendor Cybersecurity After Change Healthcare Breach
The US Department of Health and Human Services (HHS) is increasing scrutiny of third-party service provider cybersecurity in the healthcare sector following the 2024 Change Healthcare cyberattack, which HHS officials describe as having threatened the “liquidity” of the broader healthcare system. HHS’s Charlee Hess (Administration for Strategy Preparedness and Response) said the incident exposed previously underappreciated systemic risk from external vendors that can have outsized sector-wide impact, and noted HHS is working through a methodology—alongside industry—to identify where those critical third-party dependencies and risk concentrations exist.
Reporting reiterated that the Change Healthcare intrusion began with attackers exploiting the lack of multi-factor authentication (MFA) on a remote access portal and ultimately exposed data affecting roughly 190 million people. The breach has also driven broader government and industry responses, including proposals for mandatory cybersecurity requirements on hospitals (which healthcare organizations have opposed as burdensome, arguing the Change Healthcare compromise originated with an external vendor) and remediation actions by UnitedHealth Group (Change Healthcare’s parent) to “start over” on aspects of its systems and technology environment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
HHS prioritizes third-party vendor risk identification in healthcare
By February 2026, HHS said it was prioritizing the security of third-party service providers and working with industry on a methodology to identify critical dependencies. Officials said the Change Healthcare attack revealed previously underrecognized third-party risks with potentially systemic impact.
Proposals emerge for mandatory hospital cybersecurity requirements
In the wake of the Change Healthcare incident, multiple proposals were introduced to impose mandatory cybersecurity requirements on hospitals. Parts of the healthcare industry opposed the measures, arguing the Change Healthcare compromise stemmed from an external vendor rather than hospitals themselves.
Government and Congress increase attention after Change Healthcare breach
The breach prompted additional scrutiny from U.S. government officials and Congress over cybersecurity risks in the healthcare sector. It also fueled policy debate over how to address systemic cyber risk tied to major service providers.
UnitedHealth starts over on Change Healthcare computer systems
Following the attack, UnitedHealth Group, Change Healthcare's parent company, rebuilt or restarted its use of computer systems. This response reflected the severity of the compromise and recovery effort.
Change Healthcare attack disrupts healthcare sector and exposes 190 million records
The Change Healthcare breach had broad sector-wide consequences, reportedly threatening healthcare system liquidity and exposing data affecting about 190 million people. The scale of the incident highlighted how a compromise at a single vendor could have outsized effects across the industry.
Hackers breach Change Healthcare via portal lacking MFA
In 2024, attackers compromised Change Healthcare by exploiting the absence of multifactor authentication on a remote access portal. The incident became a major cyberattack affecting a critical third-party provider in the U.S. healthcare sector.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Change Healthcare ransomware attack exposed massive patient data and disrupted U.S. care
A ransomware attack on UnitedHealth subsidiary **Change Healthcare** crippled prescription processing, billing, and claims services across the U.S., leaving pharmacies, hospitals, doctors, and therapists unable to process insurance transactions and creating severe cash-flow problems for providers. UnitedHealth disclosed the intrusion after isolating affected systems, and the **ALPHV/BlackCat** gang later claimed responsibility, saying it stole terabytes of data from the company’s environment. The outage highlighted Change Healthcare’s central role in the health sector, where it processes a huge share of medical and pharmacy transactions. UnitedHealth later acknowledged paying a ransom reportedly worth about **$22 million** in bitcoin, but the extortion did not end there: a second group, **RansomHub**, claimed it had obtained the stolen files and began leaking patient data online. Subsequent reporting said the breach likely included highly sensitive personal and health information, potentially affecting U.S. service members and eventually tens of millions of Americans, with later estimates rising to **100 million** and then **193 million** victims. Investigators and executives also said the attackers entered through a **Citrix portal without MFA**, turning the incident into one of the largest and most consequential healthcare data breaches on record.
Jun 8, 2026
Change Healthcare Breach Drives Lawsuit and Renews Healthcare Supply-Chain Risk Fears
Iowa Attorney General Brenna Bird sued Change Healthcare, UnitedHealth Group, and Optum over the 2024 ransomware attack on Change Healthcare, alleging the companies misrepresented their cybersecurity practices, understated the breach’s severity in a February 2024 SEC filing, and operated insecure legacy systems without adequate segmentation or redundancy. The complaint says the attack exposed the electronic protected health information of **192.7 million Americans**, including **2.2 million Iowans**, making it the largest healthcare data breach in U.S. history, and seeks civil penalties, disgorgement, damages, and injunctive relief. The incident is also being cited across the healthcare sector as a defining example of **systemic third-party risk**, after outages disrupted billing, pharmacy, clinical, imaging, and laboratory operations at thousands of organizations for months. Industry leaders, including Intermountain Health CISO Erik Decker, said the attack showed how vendor concentration can create ecosystem chokepoints, while broader reporting on vendor breaches has reinforced concerns that compromises at major service providers can cascade across healthcare delivery and data security nationwide.
Jun 8, 2026
Healthcare Sector Data Breach Disclosures Expand Victim Counts Across Multiple Incidents
Multiple healthcare-related breach disclosures expanded significantly, led by *TriZetto Provider Solutions* reporting to regulators that **3,433,965** people were affected after an attacker used a web portal to access historical eligibility reports containing sensitive data (including **SSNs** and insurance information). Separately, *Conduent Business Services* told Wisconsin regulators that its incident now impacts **“25 million-plus”** people nationwide; the Xerox spinoff had previously reported **~15.5 million** affected in Texas, prompting an investigation by Texas AG Ken Paxton, while reporting noted the event is still smaller than the largest U.S. health-data breach on record. Reporting on the *Change Healthcare* ransomware incident reiterated that UnitedHealth estimated roughly **190 million** people were affected, with congressional testimony attributing initial access to a **Citrix remote access portal lacking MFA**, followed by data theft and ransomware deployment; reporting also cited a **$22 million** ransom payment. In the Asia-Pacific region, a separate healthcare privacy incident involving New Zealand’s *ManageMyHealth* patient portal was cited as exposing data from **~120,000** people, and was used to underscore governance, access control, and third-party oversight gaps as recurring drivers of healthcare-sector exposure.
Mar 21, 2026