Change Healthcare Cyber Attack: Implications for Third-Party Incident Response in Healthcare Cybersecurity

By Jonathan Elmer

The cybersecurity incident that struck Change Healthcare, a pivotal unit within UnitedHealth Group's subsidiary Optum, has caused significant disruptions across the U.S. healthcare landscape, particularly affecting billing operations, pharmacies, and patients nationwide.

What Happened

This attack took place on February 21, 2024, and industry speculation is that it was the work of the BlackCat ransomware group, although they have not publicly claimed responsibility for it yet. H-ISAC recently shared information that the source of the event may have been an exploit of the recently announced ConnectWise ScreenConnect vulnerabilities, but this is also not yet confirmed.

The Impact on Healthcare

In response to the attack, Change Healthcare was compelled to disconnect its IT systems, an action aimed at curtailing further damage. This move, however, has led to widespread operational disruptions, notably in insurance processing, causing significant delays for patients trying to acquire prescriptions using their insurance. Many have been forced to pay out-of-pocket to obtain necessary medications. Moreover, the ripple effect of this cyberattack has extended beyond local pharmacies to impact military clinics and hospitals globally, as well as retail pharmacies across the nation. Once the immediate crisis of the operational disruptions subsides, focus will shift to the substantial concerns over the security of tens of millions of patient records that Change Healthcare manages.

This cyberattack not only emphasizes the critical importance of cybersecurity vigilance and the swift application of patches following the discovery of vulnerabilities but also serves as a stark reminder of the cascading effects such incidents can have on the broader healthcare ecosystem, affecting service providers and patients alike.

How You Can Prepare for the Next Third Party Incident

The Change Healthcare cyber attack is yet another example of healthcare organizations' vulnerability to operational disruptions due to security breaches in their third-party vendors. CORL's Third Party Incident Response (TPIR) platform has emerged as a crucial tool for boosting preparedness and response capabilities during these vendor security incidents. By equipping healthcare entities with easily accessible key security contact information and appropriate escalation paths, the TPIR platform creates the capability for swift peer to peer communication between vendors and their customers during security incidents. Additionally, CORL customers can use the TPIR platform to send surveys in bulk, to anywhere from dozens to thousands of their vendors, to facilitate a swift evaluation of the operational consequences of security incidents or industry-wide vulnerabilities on numerous vendors simultaneously.

This function is crucial for healthcare organizations to quickly triage vendors who are most likely to introduce risk into their environment and take mitigating actions to reduce their exposure. The Change Healthcare cyber attack is the perfect use case for these surveys. CORL TPIR customers can instantly inquire with a large number of their vendors if they are experiencing any operational disruptions due to the Change Healthcare breach. CORL customers may also want to ask if their vendors are using any currently exploitable software versions like ConnectWise ScreenConnect, which is speculated to be linked to the Change Healthcare /Optum cyber attack. These surveys are quick and easy to spin up, and due to the clearinghouse nature of CORL's TPIR platform, vendors can reply to a single survey once and make those responses available to as many of their customers as they choose. Saving time on the vendor side of the equation in IR scenarios is critical for getting accurate and timely information to the healthcare organizations who need to know their exposure.

CORL's TPIR platform plays an essential role in the IR playbook for healthcare organizations looking to strengthen defenses against the complex landscape of vendor security and supply chain incidents. For more details, visit



Jonathan Elmer is a seasoned cybersecurity expert and the Chief Information Security Officer (CISO) at CORL Technologies. With over two decades of experience in information security, Jonathan's career is distinguished by his dedication to advancing security frameworks within the healthcare industry. He holds a Bachelor's degree in Information Systems Security and has contributed his expertise to various Fortune 500 companies before joining CORL. Jonathan is an advocate for robust cybersecurity measures and regularly shares his insights at industry conferences and through academic publications. His strategic vision and leadership have been instrumental in developing innovative security solutions that safeguard sensitive data and ensure compliance with complex regulatory requirements. Jonathan's work reflects a deep commitment to protecting the integrity of healthcare information in an increasingly digital world.

Most Recent Posts
Essential Guide for Vendors: Key Features to Look for in a Cyber Security Assessment Tool for Healthcare TPRM   Read More
Do You Understand Your Vendors' SOC 2 Reports? Read More
The Unintended Risks of Third-Party Cybersecurity Questionnaires  Read More