One Year After the Change Healthcare Breach: What Group Practices Must Learn

by | Feb 26, 2025 | General Business |

The Wake-Up Call Your Practice Can’t Ignore

The Change Healthcare breach sent shockwaves through the healthcare industry, disrupting claims processing for months and impacting nearly 190 million individuals. This wasn’t just a cybersecurity failure—it was a wake-up call for every healthcare provider, including group practices like yours.

Cyberattacks aren’t a matter of “if” but “when.” If a massive organization like Change Healthcare can be compromised, smaller group practices are even more vulnerable. The good news? There are clear, actionable steps you can take today to safeguard your practice and your patients’ sensitive data.

An image that reads: a client's records are mote than just clinical notes

What Went Wrong: Lessons from the Change Healthcare Breach

The Change Healthcare breach was a textbook example of security weaknesses leading to catastrophic consequences. The attackers, a ransomware group known as BlackCat, exploited a lack of multi-factor authentication (MFA) to gain access to critical systems. Once inside, they were able to deploy ransomware and cripple essential healthcare operations.

Beyond MFA, several key failures contributed to the breach:

  • Inadequate third-party risk management – Too much trust in external vendors without sufficient security oversight.

  • Lack of a robust security framework – No effective safeguards to prevent or quickly contain a cyberattack.

  • Centralized data vulnerabilities – A massive single point of failure, leaving all operations exposed.

Had Change Healthcare enforced stronger security measures, including MFA and a proactive risk management strategy, the impact could have been minimized. But their missteps offer critical lessons for your practice.

How Your Practice Can Stay Secure

1. Employee Training: Your First Line of Defense

Most breaches don’t start with sophisticated hacking—they start with a simple phishing email or social engineering attack. Employees are the weakest link, but with proper training, they can also be your first line of defense.

  • Regular cybersecurity training helps staff recognize phishing attempts and social engineering tactics.

  • Creating a culture of security means every team member understands their role in protecting patient data.

  • Ongoing security awareness reminders reinforce best practices and keep cybersecurity top of mind.

2. Security Measures: The Basics Matter

It’s easy to assume cybersecurity is complicated, but the reality is that the most effective measures are often the simplest:

  • MFA is non-negotiable – Enforce multi-factor authentication across all systems to block unauthorized access.

  • System configuration matters – Using HIPAA-compliant tools isn’t enough if they aren’t configured securely. Security is an ongoing process, not just a checkbox.

  • Regular risk analysis – Conduct third-party audits and internal vulnerability assessments to identify and fix security gaps before hackers exploit them.

3. Risk Analysis & Mitigation Planning: Prepare for the Inevitable

A strong cybersecurity posture isn’t just about prevention—it’s about having a plan for when things go wrong.

  • Regular risk assessments help you uncover vulnerabilities before cybercriminals do.

  • Incident response plans ensure you can act quickly to minimize damage when an attack happens.

  • Backup and redundancy strategies keep your practice running even in the face of a breach.

Take Action Today: Secure Your Practice with Practice Care

Cybersecurity isn’t a one-time effort—it’s an ongoing process. Group practices that take security seriously invest in proactive solutions that evolve with new threats.

With Practice Care, you get the tools and strategies you need to protect your practice:

  • Cybersecurity management tools to enforce MFA and secure your systems.

  • Annual Risk Assessment and Mitigation Planning (RAMP) to identify and close security gaps.

  • Comprehensive security policies and procedures designed for real-world implementation—not just compliance theater.

Don’t Wait for a Breach—Protect Your Practice Now

The Change Healthcare breach is a cautionary tale that underscores the importance of taking action before it’s too late. You have the power to safeguard your practice, your data, and your patients by implementing these security measures today.

🔒 Sign up for Practice Care now and take control of your cybersecurity. Your patients trust you with their health—make sure they can trust you with their data, too.

Sign Up For Group Practice Care

See our comprehensive HIPAA programs for group practices and solo practitioners:

Group Practices
Solo Practitioner


v2.1.26-beta

Continuing Education National Approvals

Person Centered Tech Incorporated has been approved by NBCC as an Approved Continuing Education Provider, ACEP No. 6582. Programs that do not qualify for NBCC credit are clearly identified. Person Centered Tech Incorporated is solely responsible for all aspects of the programs.

Person Centered Tech Incorporated is approved by the American Psychological Association to sponsor continuing education for psychologists. Person Centered Tech Incorporated maintains responsibility for this program and its content.

Continuing Education State Approvals

  • Person Centered Tech is an approved provider continuing education provider with the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health Counseling. CE Broker Provider #50-23706.
  • Ohio Counselor, Social Worker, and Marriage and Family Therapist Board accepts continuing education credits from providers approved by the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health.
  • Person-Centered Tech Incorporated is recognized by the New York State Education Department's State Board for Social Work as an approved provider of continuing education for licensed social workers #SW-0540 and the State Board for Mental Health Practitioners as an approved provider of continuing education for licensed marriage and family therapists #MFT-0092, licensed mental health counselors #MHC-0210 and licensed psychoanalysts #P-0050 and the State Board for Psychology as an approved provider of continuing education for licensed psychologists #PSY-0068.

Policies and Terms

Training Resources

About Us

Email: [email protected]

Customer Service Hours: M-F 9AM-3PM PST

Address:
Person Centered Tech Incorporated
PO Box 42494
Portland, OR 97242

Where's our phone number?

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss