What the Change Healthcare Hack Taught Us And Why It Won’t Be the Last
In February 2024, Change Healthcare, a key clearinghouse handling medical claims, prescriptions, and payment processing for millions of patients was hit by a ransomware attack that paralyzed healthcare operations nationwide. The breach impacted pharmacies, delayed billing, and exposed sensitive data across thousands of healthcare entities. For small and medium-sized practices, the disruption was catastrophic: they lacked the financial cushion or alternate workflows to absorb weeks of downtime.
But this wasn’t just a tech problem, it was a visibility problem.
The attack was traced to a vulnerability in a remote access portal that had gone unmonitored. Despite the size and sophistication of Change Healthcare’s operations, basic segmentation and access controls were insufficient or missing entirely. Smaller organizations relying on Change were caught in the blast radius.
According to the American Hospital Association, more than 94% of U.S. hospitals were affected in some capacity [1]. And yet, many healthcare organizations still lack visibility into their digital supply chain, failing to assess the cyber risk exposure of key vendors, APIs, and third-party platforms.
This event underscores a central truth: you can outsource services, but you can’t outsource risk.
That’s why data-driven threat modeling is critical. At Jourdain Risk Group, we use Bayesian networks and copula models to simulate complex interdependencies between your practice, your vendors, and their platforms. Combined with the FAIR framework, we quantify your true exposure so you can decide where to invest, what to segment, and which risks to monitor.
Ransomware is evolving. The Change Healthcare attack was devastating not just because it was large but because it was predictable.
The next one will be too. The question is: are you prepared?
Sources:
[1] American Hospital Association. Statement on Change Healthcare Cyberattack, 2024
[2] SC Media. Change Healthcare Breach Traced to Citrix Vulnerability, March 2024
[3] Ponemon Institute. Third-Party Risk in Healthcare, 2023
