The February 2024 cyberattack on Change Healthcare — a subsidiary of UnitedHealth Group — resulted in one of the largest healthcare data breaches in history. By early 2025, UnitedHealth Group confirmed that approximately 190 million Americans had their health information compromised. The breach disrupted healthcare payments across the United States for weeks, affecting hospitals, pharmacies, and care providers including home health agencies.
If your home health agency submits Medicare or Medicaid claims through Change Healthcare's clearinghouse — which the vast majority of home health agencies do, either directly or through their billing company — your patients may be among the 190 million affected. And the downstream implications for your agency extend well beyond the initial disruption.
How the Change Healthcare Breach Affected Home Health Agencies Directly
Payment Processing Disruption
Change Healthcare processes approximately 50% of all U.S. medical claims. When its systems were taken offline in response to the ransomware attack, home health agencies across the country found themselves unable to submit claims electronically — and therefore unable to receive reimbursement — for periods ranging from days to weeks.
For agencies operating on thin Medicare margins, a two-week payment disruption creates immediate cash flow pressure. Agencies without adequate cash reserves were forced to draw on lines of credit, delay vendor payments, or make difficult operational decisions during the outage period.
Patient Data Exposure and Notification Obligations
If your agency used Change Healthcare for claims processing and your patients' data was included in the breach, you may have had an independent obligation to investigate and notify affected patients — even though your agency was not the entity that was breached.
The HIPAA Breach Notification Rule focuses on which covered entity's patients were affected, not which entity was breached. If your business associate (Change Healthcare, through your billing company) was breached and your patients' ePHI was compromised, your notification obligations were potentially triggered.
This created a complex situation: home health agencies scrambled to determine whether they had an independent notification obligation, what data was exposed, and how to communicate with patients who were simultaneously receiving notifications from multiple healthcare entities.
Increased Phishing Risk in the Aftermath
Major breaches generate phishing campaigns. In the months following the Change Healthcare breach, threat actors launched phishing campaigns impersonating UnitedHealth Group, Change Healthcare, and HHS — targeting healthcare billing staff with urgent notifications about payment restoration, credential verification, and breach compensation claims.
Home health billing staff who were already stressed by the payment disruption were more susceptible to urgent-sounding communications. This pattern — a major disruption followed by opportunistic phishing — is now standard playbook for sophisticated threat actors.
The Systemic Lesson: Third-Party Risk in Home Healthcare
The Change Healthcare breach exposed a critical vulnerability in healthcare infrastructure: the concentration of critical services in a small number of vendors, with inadequate resilience planning by the organizations that depend on them.
For home health agencies, the breach's practical lessons include:
Understand your claims pathway. Most agencies know which billing company they use. Fewer know which clearinghouse their billing company uses for claim submission, which clearinghouse their billing company uses for remittance processing, and what happens to their operations if any of those vendors experiences an outage or breach.
Map your claims pathway completely: your agency → your billing company → their clearinghouse → CMS/payers. Identify the single points of failure. Ask each vendor what their business continuity plan includes for a multi-week outage.
Maintain clearinghouse redundancy. Before the Change Healthcare breach, many billing companies had exclusive relationships with a single clearinghouse for cost or contractual reasons. The breach revealed the operational risk of that single-vendor dependency. Some home health agencies had backup clearinghouse relationships that allowed them to reroute claims within days; others were effectively stranded for weeks.
Ask your billing company whether they have backup clearinghouse relationships and what the activation process is.
Cash flow reserve. The CMS advance payment program activated during the Change Healthcare disruption, but accessing it required applications and administrative capacity that stressed agencies during an already chaotic period. A cash reserve equivalent to 30 days of operating expenses provides a buffer against payment disruption from vendor outages, breaches, or system failures.
Business continuity planning for vendor failures. Your agency's disaster recovery plan likely covers ransomware and natural disasters. Does it cover "major billing vendor is offline for 30 days"? If not, add this scenario to your tabletop exercise planning.
What to Tell Your Patients
If you have not already determined whether your patients were affected by the Change Healthcare breach and communicated accordingly, the time to act was 2024. If your patients received notification from UnitedHealth Group directly and have questions about their home health agency's role, you need a clear, honest response:
"Your home health agency used [billing company], which processed claims through Change Healthcare. The breach of Change Healthcare may have included information submitted on your behalf. We are [have reviewed / are reviewing] our records to determine what specific information was included. We take the privacy of your health information seriously and are committed to [whatever specific actions you have taken]."
Patients who receive vague or evasive responses lose trust. Patients who receive direct, honest explanations with specific action steps retain it.
Build the third-party risk management and business continuity protection your agency needs.
ShieldForce's managed security includes vendor risk assessment, business continuity planning, and the 24/7 monitoring that reduces your exposure to supply chain attacks.
Explore Home Healthcare Cybersecurity →
Get a free assessment of your third-party risk posture.