The Change Healthcare attack hit hard. It froze claims processing and prescription services, affected roughly 190 million people, and led UnitedHealth to advance more than $3.3 billion to providers while operations were restored. The company also paid about $22 million to the attackers. Those numbers show how a single vendor failure can ripple through the whole health system. If health leaders had clearer enterprise risk management focused on critical vendors — with leading indicators, live vendor checks, and basic account protections — the damage could have been much smaller.

What happened — a short timeline and the real effects

In February 2024, Change Healthcare’s systems were hit and key services stopped working. Pharmacies could not verify prescriptions. Hospitals could not submit claims in the normal way. Over the following weeks, delays mounted: prior authorizations stalled, billing backlogs grew, and operations leaned on manual work that slowed everything down.

By early the next year, the number of affected people had climbed into the hundreds of millions, making this the largest health-data incident in U.S. history. Providers faced cash-flow headaches; some smaller clinics struggled to keep up. Patients faced delays in care and in getting medicines. The national scale of the disruption is what pushed costs into the billions and made recovery take months.

The money side — what $3+ billion really covered

The headline figure — more than $3.3 billion in advance payments — came from the need to keep the health system moving while systems were down. Those funds covered emergency cash flow for hospitals and clinics that could not bill normally. The ransom was a fraction of the total cost; the real bills came from lost revenue, extended recovery work, outside contractors, legal fees, and the time staff spent on manual fixes.

For small providers, the impact was especially harsh. When revenue stalls for weeks, payroll and supplier bills still come due. Compare that to the cost of enforcing simple protections for key vendor access, and the return is obvious: targeted risk work on mission-critical suppliers can save a lot more than it costs.

Where controls broke — simple cause points you can fix

Official reporting pointed to credential and account issues as the initial gap that attackers used. A path opened because a critical access point lacked additional verification steps, and attackers used that opening to spread through linked systems. In many places, systems were closely tied together with little separation, so once one service failed, many others felt the impact.

Beyond accounts, there were gaps in patching and in how vendor systems were checked continuously. These are basic problems: check accounts properly, separate systems so a breach doesn’t spread easily, and monitor vendor posture more than once a quarter. Those steps stop small failures from becoming big disasters.

How ERM gaps made one problem into a national crisis

This event showed a big lesson about supplier concentration. Change Healthcare was a central hub for claims and prescriptions — when that hub went down, a huge part of the care system slowed or stopped. An enterprise risk approach that ignores concentration risk is missing the main point: it’s not only about whether a supplier is secure, it’s about how many core operations depend on them.

If leaders had included vendor health in their enterprise risk indicators and had clear triggers for adding redundancy or emergency routing, the outage’s national impact would have been smaller. Risk registers and vendor scorecards are not paperwork — they’re tools that tell leaders when to act before the problem hits patients.

What an ERM plan that helps would look like — practical controls

Start with a short list of high-impact controls you can apply right away to the vendors that matter most:

• Enforce strong account verification on all vendor access, especially for privileged logins and remote connections.
  
  
• Keep a focused list of top critical vendors (top 10) and track a small set of live indicators for each, such as account security coverage and patch timelines.
  
  
• Require vendors to commit in contracts to fast notice and fixed remediation windows when problems appear.
  
  
• Prepare simple alternate processing routes for claims and prescriptions so traffic can shift if one clearinghouse fails.
  
  

These steps are small, measurable, and directly tied to staying operational when a vendor hits trouble.

Vendor playbook — how to cut concentration risk now

Treat vendor risk as a lifecycle, not a one-time checklist. Start by scoring vendors when they are onboarded, then run posture checks monthly for the critical few. For top-tier suppliers, require quarterly reviews that include both service performance and security health. Contracts should say how quickly a vendor must act and what steps they must take to help you keep services running.

For vendors that provide system-wide services, insist on redundancy or an agreed failover path. Run a short simulation that imagines a clearinghouse outage and see how claims would get routed. Those exercises quickly reveal where a simple routing rule or alternate vendor could have kept operations moving.

When things go wrong — clear steps to respond

If a major vendor fails, focus on three immediate priorities to limit harm:

• Protect patients by enabling emergency processing rules, temporary authorizations, and manual workarounds that keep care flowing.
  
  
• Protect cash flow by standing up emergency billing or advance payment arrangements so providers can keep operating.
  
  
• Protect evidence by preserving logs and records from the moment you suspect a breach — those records matter for regulators and recovery.
  
  

Bring together legal, compliance, IT, operations, and communications right away. Quick, coordinated action shortens outages and reduces the long-term cost.

Rules, reporting, and what regulators will expect

HIPAA rules still apply when an outside vendor is breached. That means covered entities must handle notifications and state-level requirements even if the root problem was with a supplier. Regulators now look closely at big incidents and expect organizations to have measurable vendor oversight. Having clear indicators and an audit trail makes it much easier to show that you met your obligations after an incident.

The money case — why spending on ERM pays off

Do the simple math. A focused three-year effort that secures top vendors, enforces stronger account controls, and adopts basic failover plans costs a fraction of what a national outage can require. When you add in faster recovery, fewer emergency advance payments, and less legal exposure, the return is clear. A stronger enterprise risk approach also improves standing with insurers, which can mean better policy terms and lower friction if a claim arises.

Look around — what other breaches teach us

Anthem, Medibank, and Equifax all show repeating themes: third-party access problems, weak account controls, and slow detection. The Change Healthcare case adds another lesson: scale matters. When a vendor connects to huge parts of daily care, failure becomes a public health problem. That moves vendor concentration to the top of enterprise risk lists for healthcare leaders.

Implementation roadmap — quick, safe steps to start now

Begin with a 90-day push: identify your top vendor dependencies, implement robust account checks, and conduct a brief tabletop exercise to streamline claim routing. Use results from that pilot to show real gains in reduced outage time and to justify steady expansion of indicators and vendor reviews. Focus on the few things that stop care when they fail — that’s where you get the most value for the effort.

Step up to prevent the next crisis. This was avoidable in many ways. If you want to set a clear course for securing the few things that keep care running, start the conversation with iRM. Visit iRM’s Contact Us page to open a dialogue about your vendor risks and the most effective next steps for your organization. Take that first step this quarter to protect patients and maintain steady operations.