Third-Party Vendor Risk: What the Change Healthcare Breach Still Means for Your Business in 2025

If your business has never heard of Change Healthcare, you probably still felt the shockwave. The February 2024 cyberattack on Change Healthcare – a subsidiary of UnitedHealth Group and the largest healthcare payment processing network in the United States – is now the most consequential healthcare data breach in American history. It disrupted billing for hospitals, pharmacies, physician practices, and insurers across the country for weeks. But here is the part that most business owners outside of healthcare are missing: the Change Healthcare breach is not a healthcare story. It is a third-party vendor risk story, and it has a direct lesson for every SMB leader in 2025, regardless of your industry.

What Actually Happened at Change Healthcare

In February 2024, a ransomware group known as ALPHV/BlackCat breached Change Healthcare’s network. The entry point was straightforward and preventable: a set of stolen credentials used to access a remote login portal that did not require multi-factor authentication. Once inside, the attackers moved laterally through the network for nine days before deploying ransomware.

The fallout was immediate and staggering. Change Healthcare processes roughly 15 billion healthcare transactions per year – approximately 50% of all medical claims in the United States. When the company took its systems offline to contain the damage, providers across the country could not submit claims, verify insurance coverage, or process patient payments. Small physician practices reported losing $1 million or more per day in delayed reimbursements.

UnitedHealth Group ultimately paid a $22 million ransom. The company later confirmed that protected health information for potentially 100 million Americans was exposed – making this the largest healthcare data breach ever recorded in the U.S. The total financial impact to UnitedHealth Group has been estimated at over $3 billion, including remediation, legal exposure, and provider relief funding.

The U.S. Senate held hearings. The CEO testified. Regulators opened investigations. And while the headlines focused on the size of the ransom and the scope of the data exposure, most business owners missed the structural lesson buried underneath all of it.

Why “It Wasn’t Our Breach” Is Not a Defense

Here is the hard truth that the Change Healthcare incident makes impossible to ignore: thousands of organizations that did everything right still got hurt. Physician practices with strong internal security policies still had their revenue cycles frozen. Hospitals with robust IT teams still could not process claims. None of them were breached. None of them made a security mistake. And all of them suffered real, measurable financial harm.

This is what third-party vendor risk actually means in practice. You are not just responsible for securing your own environment. You are exposed to the security decisions – and the security failures – of every vendor, platform, and service provider your business depends on.

The Cybersecurity and Infrastructure Security Agency (CISA) has published extensive guidance on supply chain and third-party risk management, noting that adversaries increasingly target the weakest link in a supply chain rather than attacking well-defended organizations directly. That guidance was available before February 2024. Most organizations ignored it.

In 2025, ignoring it is no longer an option.

How SMBs Are Exposed Through Their Vendors

When most SMB owners think about cybersecurity, they think about their own network. Their own computers. Their own employees clicking on phishing emails. That mental model misses a significant portion of the actual risk surface.

Consider the vendors a typical 20-person professional services firm relies on in a single week:

• A cloud-based accounting or ERP platform that holds financial records
• A payroll processor that has direct access to your bank accounts
• A document management or e-signature platform with signed contracts and sensitive client data
• An IT support provider with administrative access to your systems
• A marketing automation tool with your entire customer contact database
• A legal or HR software platform with employee and compliance records

Each of those vendors is a potential entry point. If any one of them is breached, attackers may be able to reach your data, your clients’ data, or your financial accounts – without ever touching your firewall.

This is not a theoretical scenario. The 2020 SolarWinds attack compromised thousands of organizations, including U.S. government agencies, through a single poisoned software update from a trusted vendor. The 2021 Kaseya attack hit hundreds of small businesses through their IT management software provider. And now Change Healthcare has shown that a single third-party failure can freeze an entire industry’s cash flow for weeks.

Scale does not protect you. The breach is always somewhere in the chain.

The Real Cost of Vendor-Driven Incidents

Business owners often underestimate the cost of a vendor-side incident because they assume cyber insurance or contractual indemnification will cover the damage. In practice, neither guarantee full protection.

After the Change Healthcare breach, many small practices discovered their cyber insurance policies excluded losses caused by third-party outages. Others found that their contracts with Change Healthcare limited liability to amounts that did not come close to covering actual lost revenue.

Beyond the direct financial loss, consider the downstream consequences:

• Client trust erodes when their data is exposed, even through a vendor you did not choose for them
• Regulatory investigations can be triggered whether or not your own systems were breached, if you held data that was exposed through a third party
• Business continuity breaks down when a critical operational vendor goes offline – cash flow freezes, operations slow, and staff time is consumed by manual workarounds
• Reputational damage often falls on the organization whose name is on the client relationship, not the vendor who caused the problem

These are costs your business absorbs whether or not you ever made a single security mistake. That asymmetry is what makes third-party vendor risk one of the most underappreciated threats in the SMB market today.

Five Lessons Every Business Owner Should Take From This

1. Know Who Has Access to What

You cannot manage risk you cannot see. Start by building a simple inventory of every vendor that has access to your systems, your data, or your financial accounts. Most businesses that go through this exercise for the first time are surprised by how long the list is – and how many of those vendors have more access than they actually need.

2. Ask Your Vendors Hard Questions Before You Sign

Vendor security due diligence does not need to be complicated. A short questionnaire asking about their authentication policies, incident response procedures, and data handling practices will tell you a great deal. A vendor that cannot answer basic questions about their own security posture is a vendor that probably has not thought carefully about it.

3. Understand Your Contractual Exposure

Read the data processing agreements and liability clauses in your vendor contracts. If a vendor’s breach exposes your clients’ data, are you obligated to notify those clients? Almost certainly yes, in most states. Is the vendor contractually liable for your losses? Probably not to the extent you would hope. Knowing this before an incident – not after – gives you time to make different decisions.

4. Build Operational Resilience Around Critical Vendors

For every vendor that is critical to your revenue cycle or operations, ask: if this vendor went offline for two weeks tomorrow, what would we do? Change Healthcare’s affected providers largely did not have an answer to that question. Build one now. Manual fallback procedures, secondary vendors, and documented contingency plans are not exciting, but they are what keeps a business running when something breaks.

5. Make Cyber Insurance Work Harder for You

Review your cyber insurance policy with specific attention to third-party and supply chain event coverage. Many policies written before 2022 do not explicitly cover losses from vendor outages or third-party breaches. If yours does not, that is a gap worth discussing at your next renewal. This is not about spending more – it is about making sure the coverage you are already paying for actually responds to the risks you actually face.

Concrete Action Steps You Can Take Right Now

None of the following require a large budget or a specialized IT team. They require time, attention, and the willingness to have direct conversations with your vendors and your advisors.

• Conduct a vendor inventory audit – list every third party with access to systems or data, then rank them by how critical they are to your operations
• Require multi-factor authentication on every vendor portal your team uses to access external platforms
• Send a short security questionnaire to your top five vendors and review the responses
• Pull your cyber insurance policy and read the third-party coverage section – if you do not understand it, ask your broker to walk you through it
• Document a continuity plan for your two or three most operationally critical vendors – what you do if they go offline for a week
• Review whether vendors have more system access than they need and revoke permissions that are no longer necessary

These steps are not a complete vendor risk program. But they will get you significantly further than the vast majority of your competitors, most of whom have not thought about this at all.

Why Vendor Risk Is a Core Part of Our Practice

At Xact IT Solutions, we have spent more than 20 years building IT and cybersecurity environments for SMBs across New Jersey and the Philadelphia metro – and in that time, not a single client has experienced a breach. That record is not accidental. It reflects a discipline that extends beyond the client’s own network.

Third-party vendor risk is one of the areas we examine as part of how we build and maintain client environments. We look at who has access, how that access is controlled, what your contractual obligations are if a vendor incident touches your data, and how your operations would hold up if a critical vendor went dark. Most businesses have never been walked through that conversation.

We also help clients work toward recognized compliance frameworks – including HIPAA and SOC 2 – that specifically require documented vendor risk management programs. Whether or not you are subject to a formal compliance requirement, the discipline those frameworks demand makes your business materially harder to hurt.

The Change Healthcare breach will not be the last incident of its kind. In 2025, the question is not whether a vendor in your supply chain will face a security incident. The question is whether you will have any warning, any controls, and any plan when it happens.

If you want to understand where your business actually stands on third-party vendor risk – not a generic checklist, but a real conversation about your specific vendors, your data flows, and your exposure – our team is here for that conversation. The Free Strategy Call is 20 minutes, no sales pressure, and no obligation. You will walk away with a clearer picture of where the gaps are.