Change Healthcare Ransomware: What Small Practices Took Away
6 min read · Last reviewed May 22, 2026
What happened
In February 2024, Change Healthcare — a UnitedHealth Group subsidiary processing a substantial share of US health care payment and clearinghouse traffic — was hit by ransomware. The incident knocked out claims submission, eligibility checks, prior authorization workflows, and electronic remittance for weeks. HHS published a March 5, 2024 statement on the cyberattack, followed by an OCR "Dear Colleague" letter dated March 13, 2024 (available through the OCR Change Healthcare resource page). The UnitedHealth Group April 22, 2024 update on the Change Healthcare cyberattack described the scope and the recovery progress at the time.
UnitedHealth Group later disclosed that a substantial portion of the US population may have had data affected. The exact figure and the full scope of individual notifications continued to be updated through 2024 and into 2025. For the purposes of this guide, the operational facts — extended clearinghouse outage, cash flow disruption, downstream notifications — are the load-bearing detail.
Why this matters for a small practice
Three things became immediately concrete to small practices that had assumed clearinghouse risk was abstract:
- Cash flow stopped. Claims could not be submitted, ERAs could not be received. Many small practices ran into payroll concerns within a few weeks. The Centers for Medicare and Medicaid Services issued accelerated and advance payment guidance during the recovery, but the practical bridge for many small practices was internal cash management or a credit line.
- The clearinghouse was a single point of failure that few small practices had explicitly inventoried in their data flow or contingency plan. The Security Rule at 164.308(a)(7)(7)) requires a contingency plan covering data backup, disaster recovery, emergency mode operation, and testing — most small practices had not exercised these for the clearinghouse layer.
- Subcontractor BAA chains became real. A small practice signs a BAA with its EHR; the EHR signs a BAA with its clearinghouse; the clearinghouse may sit behind another payment processor. Each link in the chain is a place where ePHI moves and a place where a breach can originate. The 2013 Omnibus rule's subcontractor obligations live in the definitions at 45 CFR 160.103.
What the Security Rule already required that became newly visible
- Risk analysis at 164.308(a)(1)(ii)(A)(1)(ii)(A)) — the analysis should have identified the clearinghouse as a critical dependency and considered the risk of its unavailability.
- Risk management at 164.308(a)(1)(ii)(B)(1)(ii)(B)) — the practice should have considered alternative clearinghouses or backup submission paths.
- Contingency plan at 164.308(a)(7)(7)) — including emergency mode operation procedures for billing and revenue continuity.
- Information system activity review at 164.308(a)(1)(ii)(D)(1)(ii)(D)) — relevant for detecting downstream issues that surface through audit logs.
- Business associate agreements at 164.504(e)) — confirming the BAA log captures every actual data-handling vendor including those reached through the EHR.
OCR's response
OCR opened an investigation focused on Change Healthcare and UnitedHealth Group. The HHS letter to health care leaders called specific attention to the agency's expectations:
- All covered entities and business associates should have written, current risk analyses.
- They should review contingency plans and the practical implications of dependence on critical vendors.
- They should confirm BAAs are current and include the required subcontractor terms.
OCR's March 13, 2024 letter indicated that its interest in other entities partnered with Change Healthcare or UnitedHealth Group was secondary and that those investigations were not being prioritized. Covered entities affected only through the data path were still expected to determine their own notification obligations under 164.404 and 164.408.
Practical post-incident moves for a small practice
Several changes most practices benefited from making:
- Inventory the actual data flow end to end, not just the contractual relationship. List every entity that handles ePHI between the practice and the payer.
- Identify a backup clearinghouse path. Many EHRs support a fallback. The risk analysis should note the option and the practice's plan to activate it.
- Confirm the BAA log includes every actual handler. If the EHR routes through a clearinghouse not named in the practice's BAA file, request the documentation.
- Document encryption status of ePHI at rest within each vendor in the chain (this is what produces the breach notification safe harbor under 164.402 for any cached or extracted data on practice-controlled devices).
- Test the contingency plan annually. A tabletop exercise covering an extended clearinghouse outage takes a couple of hours and surfaces the gaps cheaply.
- Maintain a current breach log under 164.408(c)) for fewer-than-500 incidents.
- Review cyber insurance coverage with brokers post-incident; many carriers tightened terms after February 2024.
What this is not
This is not legal advice on a practice's specific notification obligations arising from the incident. Those questions are case-specific and should be worked with counsel against the practice's actual BAA chain, the patient population affected, and the data fields involved.
What the proposed Security Rule update signals
HHS published a proposed Security Rule update in 2024 that, if finalized, would tighten several specifications, in part in response to incidents like Change Healthcare. Notable proposed changes flagged by the OCR rulemaking page include making certain currently-addressable specifications required, adding explicit technology-specific obligations, and tightening risk-analysis documentation expectations. Track the rulemaking via the OCR HIPAA Regulatory Initiatives page. The current Security Rule still controls until any update is finalized.
Restraint about claims
No vendor or tool prevents incidents like Change Healthcare in absolute terms. The lesson for a small practice is the importance of the underlying program: a current risk analysis, a tested contingency plan, an accurate vendor inventory, and a documented breach response procedure.
How D3rx fits
D3rx SRA Binder Studio prompts a small practice to write the data flow including subcontractor chains, capture the BAA log against actual data handlers, document the contingency plan and the most recent test, and assemble the binder with citations back to HHS, OCR, eCFR, and NIST. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- March 5, 2024 statement on the cyberattackhttps://www.hhs.gov/about/news/2024/03/05/statement-from-hhs-secretary-becerra-on-the-change-healthcare-cyberattack.html
- OCR Change Healthcare resource pagehttps://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
- accelerated and advance payment guidancehttps://www.cms.gov/newsroom/press-releases/cms-takes-additional-actions-help-providers-and-suppliers-impacted-change-healthcare-cyberattack
- 164.308(a)(7)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- 45 CFR 160.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
- 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
- 164.404 and 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
- 164.408(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408#p-164.408(c
- OCR HIPAA Regulatory Initiatives pagehttps://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
BAA Vendor List: Which Vendors a Small Practice Needs to Sign With
5 min readAudits and EnforcementThe HIPAA Breach Notification Rule, Explained
6 min readFoundationsHIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readTechnical SafeguardsHIPAA Encryption Requirements for ePHI
5 min readRelated across the archive
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- SRAHIPAA Encryption Requirements for ePHIWhat the Security Rule actually says about encryption at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), the safe harbor under the Breach Notification Rule, and what 'addressable' means in practice.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- SRAWhat to Do If You Get an OCR Audit LetterA step-by-step response framework for a small practice that receives an OCR HIPAA audit or investigation letter, drawn from OCR's audit protocol and published Resolution Agreements.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.