Sovereign RCM
What the Change Healthcare Attack Means for Your Practice
I've spent my career designing systems that cannot fail. Bridges. Roadway infrastructure. When you sign a drawing as a Professional Engineer, you're certifying that what you've designed will carry the loads it was built for, including the ones nobody anticipated.
What I saw in the Change Healthcare attack is something I'd recognize on any infrastructure review: a non-redundant critical node with no backup load path, sitting behind a door with no lock.
What Change Healthcare Actually Was
At the time of the attack, Change Healthcare processed approximately 40% of all U.S. medical claims, roughly 15 billion transactions per year representing $1.5 trillion in health claims. It handled eligibility verification, claims submission, prior authorization, pharmacy benefits, and electronic payments. For the majority of practices, there was no alternative route. Claims went through Change, or they didn't go at all.
How It Failed
On February 12, 2024, an attacker used stolen credentials to access a Citrix remote desktop portal with no multi-factor authentication. A username and password were all it took. The attacker spent nine days moving through the network undetected. On February 21, ransomware was deployed and Change Healthcare went offline.
The final breach count: 192.7 million individuals, more than half the U.S. population. UnitedHealth Group paid a ransom of roughly $22 million. A second extortion attempt followed using the same stolen data.
Senator Ron Wyden called the missing MFA a failure of "cybersecurity 101." I'd call it the equivalent of designing a dam with no overflow spillway and being surprised when it overtopped.
What It Did to Practices
Full clearinghouse services were not restored until November 2024, nine months later.
The AMA surveyed approximately 1,400 physician practices in the weeks following the attack. Eighty percent reported lost revenue from unpaid claims. Seventy-eight percent couldn't submit claims at all. Fifty-five percent used personal funds to cover expenses. Thirty-one percent could not make payroll.
One rural practice owner carried bags of cash onto flights to make payroll. Another took out emergency loans at 50% interest rates.
The Structural Lesson
If you gave this scenario to a second-year engineering student, a single company processing 40% of all U.S. healthcare claims, protected by a single password, they'd identify the failure mode in under a minute.
The attack was not sophisticated. The attacker logged into a portal that was left unlocked. What made the damage total was the architecture: because Change served as the dominant routing node, there was no failover. Every connected practice went down simultaneously.
A distributed design would have contained the damage. A practice using on-premise billing infrastructure that doesn't route PHI through external clearinghouses would have been unaffected entirely.
What This Means for Your Practice
HHS proposed significant updates to the HIPAA Security Rule in December 2024: mandatory MFA, mandatory encryption, required penetration testing. Practices will be expected to evaluate their vendors with the same scrutiny regulators apply to the vendors themselves.
If your billing depends on a cloud-based platform, you are sharing systemic risk with every other practice on that platform. When it fails, they all fail together.
This is the structural problem that an air-gapped billing system solves. "Air-gapped" is not a marketing phrase. It means the system processes PHI on hardware inside your building, isolated from external networks. The AI inference runs locally on the appliance. Patient records are never transmitted to an external server. The attack surface is fundamentally different from any cloud-based system.
That architecture is what we built Sovereign RCM around. The next Change Healthcare will happen. Whether your practice is caught in it is a question of architecture.
If you'd like to understand how on-premise billing compares for a practice your size, we'd like to talk.
Sources
- TechCrunch. How the Ransomware Attack at Change Healthcare Went Down. January 2025.
- BleepingComputer. Change Healthcare Hacked Using Stolen Citrix Account With No MFA. 2024.
- HIPAA Guide. Change Healthcare Data Breach: 192.7 Million Affected. 2025.
- American Medical Association. Change Healthcare Cyberattack Survey Results. 2024.
- American Hospital Association. Change Healthcare Cyberattack Disrupts Patient Care. March 2024.
- Senate Finance Committee. Hacking America's Health Care. May 2024.
- HHS Office for Civil Rights. HIPAA Security Rule NPRM. December 2024.
About the Author
Navid M. Rahman, PE
Chief Operating Officer
Licensed PE with 15+ years managing regulated infrastructure. Navid translates complex compliance and procurement into structured AI deployment playbooks.