It has been two years since the Change Healthcare cyberattack disrupted claims processing for thousands of healthcare providers across the country. The headlines have faded, but the consequences have not. Lawsuits are still being filed. Class actions are still moving through the courts. And the underlying structural issue, the concentration of healthcare claims traffic through a small number of large clearinghouse networks, has not meaningfully changed.
Two years is enough distance to ask the harder question: what did the industry actually learn, and what has actually changed since?
What Happened, Briefly
In February 2024, the ALPHV/BlackCat ransomware group breached Change Healthcare, an Optum-owned clearinghouse that processed roughly one-third of all healthcare claims traffic in the United States. The disruption brought claims processing, eligibility verification, and ERA distribution to a halt for the providers who relied on Change as their clearinghouse.
The American Hospital Association estimated approximately $2.87 billion in delayed provider cash flow during the disruption. Smaller practices were disproportionately affected because they had fewer alternative routing options and less financial cushion to absorb a multi-week revenue interruption. Independent practices, ambulatory surgery centers, and small specialty groups closed temporarily or permanently in some cases.
Two years on, the financial consequences are still surfacing. Class-action lawsuits filed in 2024 and 2025 are now reaching summary judgment stages. New lawsuits continue to be filed by patients whose protected health information was exposed. The legal tail of a major vendor breach is long.
The Three Lessons the Industry Should Have Learned
Lesson 1: Concentration risk is a real and quantifiable threat. When a large percentage of claims traffic runs through a single clearinghouse network, an outage at that network becomes a systemic event, not just a vendor problem. The Change Healthcare disruption demonstrated this at scale. Providers who relied on a single clearinghouse connection had no alternative routing when that connection failed.
Lesson 2: Single-rail strategy is a liability, not a luxury. Maintaining a secondary clearinghouse connection is no longer a discretionary expense. It is a basic risk management measure for any healthcare operation that depends on continuous claims processing to operate. The Change Healthcare outage proved that single-vendor dependency creates a single point of failure that can take an operation offline for weeks.
Lesson 3: Vendor security posture is now a business decision, not a procurement detail. The HIPAA Business Associate Agreement that governs clearinghouse relationships is not just compliance paperwork. It is a contractual allocation of risk. Billing companies and practices that selected vendors based primarily on price are now reevaluating those decisions through a different lens, particularly given the additional disclosures from TriZetto and other RCM-adjacent vendors in 2025 and 2026.
What Has Actually Changed Since
Two years on, the honest answer is: less than you might hope.
Some things have changed:
- Industry awareness of concentration risk is dramatically higher than it was in February 2024. The phrase single point of failure shows up routinely in vendor evaluation conversations now.
- More billing companies have evaluated or implemented secondary clearinghouse rails than at any point previously.
- BAA review and vendor security due diligence have become standard practice in clearinghouse selection, where five years ago they were often pro forma.
- HHS issued new HIPAA Security Rule proposed rulemaking in early 2025, with final rule expected in 2026, partially in response to the breach environment.
But some things have not changed:
- The underlying concentration in the clearinghouse market remains. Optum/Change still processes a substantial share of national claims traffic, even after the disruption.
- Adoption of true secondary clearinghouse rails has lagged behind awareness. Many practices have evaluated the option but not implemented it.
- Smaller practices, particularly independent and ambulatory, still tend to operate single-rail because the perceived implementation cost is higher than the perceived risk.
- Vendor consolidation in the broader RCM market continues, which arguably increases rather than reduces concentration risk.
What the Two-Year Mark Should Prompt
For practice managers, billing leads, and RCM directors, the anniversary is a useful prompt to ask three questions that may have been deferred during the immediate aftermath.
- Do we have a documented business continuity plan if our primary clearinghouse goes down for more than 72 hours? Not informally; documented. Specifying who has authority to act, what the alternative routing path is, and how client communication is handled during failover.
- Have we evaluated whether a secondary clearinghouse rail is appropriate for our operation? Not as a hypothetical; as a concrete evaluation with a yes or no decision and documented reasoning.
- Have we reviewed our current clearinghouse vendor’s security posture since the original BAA was signed? Specifically: breach detection capability, audit trail standards, incident response history, and any acquisition activity that may have changed the operating environment.
If the answer to any of those is no, or not in the past 12 months, the two-year anniversary is the right moment to fix that.
How Harris Secure Connect Approaches Continuity
Harris Secure Connect has operated as a HIPAA covered entity for 26 years without a comparable disruption, backed by the institutional resources of our Harris Computer parent and Global Payments. We routinely operate as the primary clearinghouse for practices that have chosen us specifically for stability, and as the secondary rail for practices whose primary is elsewhere and whose business continuity strategy now requires redundancy.
If the two-year anniversary has you thinking about whether your current setup is structurally resilient, our team is happy to walk through what the conversation looks like.