856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Let’s Talk
Let’s Talk

Change Healthcare Breach Fallout: The Civil Liability Risk Small Businesses Aren’t Pricing In

Change Healthcare Breach Fallout: The Civil Liability Risk Small Businesses Aren’t Pricing In

The Change Healthcare breach fallout has moved well beyond headlines about a single ransomware attack on a claims processing giant. It has quietly become one of the most significant civil liability events in the history of healthcare IT – and the shockwave is reaching businesses that would never describe themselves as healthcare companies. If your firm bills insurers, handles explanation-of-benefit documents, processes payroll for medical staff, consults for clinics, or manages software used by a practice, you may be carrying exposure you have never measured.

  1. What Actually Happened at Change Healthcare
  2. Why the Fallout Reaches Far Beyond Hospitals
  3. The Business Associate Trap Most Small Firms Walk Right Into
  4. Lawsuits, OCR, and Class Actions: The Civil Liability Wave
  5. What a Well-Run Operation Has in Place
  6. Federal Guidance on Protecting Health Data
  7. The Quiet Risk Is the Dangerous One
The Change Healthcare breach fallout is reshaping health data liability for small businesses across every industry.

What Actually Happened at Change Healthcare

In February 2024, a ransomware group breached Change Healthcare, a UnitedHealth Group subsidiary that processes roughly one in three patient claims filed in the United States. The attackers moved through the network for weeks before deploying ransomware. The result was a billing and claims paralysis that lasted months, disrupted cash flow for thousands of providers, and exposed protected health information belonging to an estimated 100 million people – the largest healthcare data breach in U.S. history.

UnitedHealth Group paid a reported ransom and disclosed the incident. Congressional hearings followed. The Department of Health and Human Services Office for Civil Rights opened an investigation. Then – more quietly – the civil litigation machine started turning.

Lawsuits have been filed by hospitals, physician groups, pharmacies, patients, and insurers. The theories of liability vary: negligence in security practices, breach of contract, and violations of HIPAA requirements for covered entities and their business associates. The common thread is that organizations up and down the healthcare supply chain are being asked to account for their role in how health data flowed – and how it was protected.

Why the Change Healthcare Breach Fallout Reaches Far Beyond Hospitals

Change Healthcare breach fallout - Wide shot of a server room or network infrastructure with visible cables and equipment, slightly out of focus with a single glowing alert light or warning indicator in sharp focus, conveying silent system compromise.

Most small business owners in professional services hear “healthcare breach” and mentally file it under “not my problem.” That instinct is understandable. It is also increasingly dangerous.

The healthcare data supply chain is long. A mid-size accounting firm that handles billing reconciliation for a medical group touches protected health information. A staffing agency that places nurses and processes their credentialing documents touches it. A software vendor whose platform stores patient intake forms for a physical therapy practice touches it. A consulting firm reviewing patient flow data for a regional hospital touches it.

None of these businesses are hospitals. None of them think of themselves as healthcare companies. But under federal law, each of them may be a “business associate” – a legally defined category that carries real compliance obligations and, when something goes wrong, real liability.

The Change Healthcare breach fallout has made this abstract legal concept very concrete. Attorneys general, class action law firms, and federal investigators are all asking the same question: who had access to this data, what did they agree to do with it, and did they actually do it?

The Business Associate Trap Most Small Firms Walk Right Into

Under the Health Insurance Portability and Accountability Act, any organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity is a business associate. The law requires a formal written agreement – called a Business Associate Agreement – between the covered entity and the business associate. That agreement specifies what the business associate can do with the data and obligates them to meet specific security and breach notification standards.

Here is where small firms routinely get into trouble:

  • They signed a Business Associate Agreement years ago without fully understanding what it committed them to.
  • They never signed one at all and are operating without the legal framework in place.
  • They signed an agreement, but their actual security practices do not come close to meeting its obligations.
  • They assumed their IT vendor was handling compliance – and their IT vendor assumed the same thing in reverse.

The last scenario is the most common and the most costly. A signed piece of paper creates a paper trail. A signed piece of paper combined with a documented gap between stated and actual security practices is the foundation of a negligence claim.

Our managed IT services practice regularly encounters small businesses that signed Business Associate Agreements with no awareness of the security controls those agreements legally require them to maintain. The Change Healthcare breach fallout has turned that paperwork problem into an urgent operational risk.

Lawsuits, OCR, and Class Actions: The Civil Liability Wave

The litigation emerging from Change Healthcare is instructive well beyond the facts of that specific case. It demonstrates that plaintiffs’ attorneys and regulators are now willing to pursue smaller organizations in the health data supply chain – not just the large covered entities at the top.

Several dynamics make this more likely going forward, not less:

  • Class action attorneys have become skilled at identifying downstream business associates named in a breach notification, then reaching out to affected patients as potential plaintiffs.
  • The HHS Office for Civil Rights has publicly prioritized business associate oversight – meaning covered entities are being pressured to audit their vendors, and that pressure flows directly down to small firms.
  • Cyber insurance underwriters are tightening requirements. A firm that cannot demonstrate basic security controls may find coverage denied or limited at exactly the moment it needs it most.
  • State attorneys general have parallel authority to enforce HIPAA and are increasingly active, particularly in states with their own health privacy laws layered on top of federal requirements.

The practical implication: the days of “we’re too small to matter” are over in health data. Size did not protect Change Healthcare’s downstream partners. It will not protect yours.

What a Well-Run Operation Has in Place

This is not about paranoia or compliance theater. It is about being able to demonstrate, if you are ever asked, that you took your obligations seriously and acted on them. Here is what a well-run small business in this position actually has in place – not as a wish list, but as a functioning practice.

A clear data inventory. The organization knows exactly what health-adjacent data it holds, where it lives, who can access it, and how long it is retained. This sounds basic. Most firms cannot produce this document on demand.

Reviewed Business Associate Agreements. Every agreement the firm has signed has been read and understood by someone who knows what it obligates the firm to do – not just filed after a client requested it.

Access controls that reflect least privilege. Not every employee needs access to every system. A well-run environment limits access to the minimum necessary for each role, and that access is audited and adjusted when people change roles or leave.

Multi-factor authentication everywhere. This is the single most effective control against the credential-based attacks that powered the Change Healthcare incident. For any organization holding sensitive data in 2025, it is not optional.

Incident response documentation. When a breach occurs, the clock starts immediately on regulatory notification requirements. A firm with no documented response plan will spend critical hours figuring out what to do next. A firm with a practiced plan will be notifying the right parties and containing the damage.

A security posture that has actually been assessed. Self-assessment is not enough. The organizations coming out of this period with clean hands are the ones whose security controls were verified by an outside party – not reviewed internally and declared sufficient.

At Xact IT Solutions, our cybersecurity practice is built around this exact standard. We hold the GTIA Cybersecurity Trustmark, audited annually against CIS Critical Security Controls by a CREST-accredited assessor. That is not a marketing credential – it is how we hold ourselves to the same standard we hold our clients to. We have maintained zero client breaches across every client we have served since 2004. That record matters most to clients who have something to lose if their data environment fails.

Vendor accountability. A well-run firm knows what its IT providers can and cannot do. It does not assume compliance is covered because someone else signed a contract. The Change Healthcare breach fallout is a case study in what happens when accountability is diffused across a supply chain and nobody owns the outcome.

Federal Guidance on Protecting Health Data

Regulators have not left organizations without direction. The CISA Healthcare Cybersecurity guidance provides actionable recommendations specifically for organizations operating in and around the health data ecosystem. CISA’s advisories on ransomware threats to healthcare – many of which directly reference the tactics used in the Change Healthcare attack – are freely available and should be reviewed by any organization that holds protected health information, regardless of size.

For organizations that want to benchmark their security posture against a recognized framework, the NIST Cybersecurity Framework is the federal government’s recommended structure for managing and reducing cybersecurity risk. Understanding where your current practices fall relative to that framework is the starting point for any credible security improvement effort.

The HHS Office for Civil Rights also publishes its HIPAA Security Rule guidance as a detailed standard for what covered entities and business associates are expected to maintain. If your organization has signed a Business Associate Agreement, that guidance describes the floor – not the ceiling – of what you have agreed to do.

Reviewing these resources is not a substitute for an independent security assessment, but it is the minimum any business associate should be able to demonstrate familiarity with when asked by a regulator, an insurer, or opposing counsel.

The Quiet Risk Is the Dangerous One

The firms most exposed by the Change Healthcare breach fallout are not the ones that thought carefully about health data and concluded the risk was acceptable. They are the ones that never thought about it at all.

A billing company that processes claims for a pediatric practice. A legal firm that handles medical malpractice cases and stores patient records as exhibits. A technology consultant whose software touches a hospital’s scheduling system. These organizations are carrying liability they have never measured, under agreements they may not fully understand, enforced by regulators who are now more motivated than ever to act.

The lesson from the Change Healthcare breach fallout is not that large breaches happen to large companies. It is that when a large breach happens, the investigation and litigation reaches every organization in the data chain. The small business at the end of that chain – the one that assumed it was too small to matter – is the one that gets surprised.

Being well-run here is not complicated. It requires honesty about what data you hold, clarity about what you agreed to do with it, and security practices that actually match those obligations. Organizations that can demonstrate all three are in a defensible position. The ones that cannot are not – and the Change Healthcare breach fallout has made the cost of that gap impossible to ignore.

If you want to know where your organization actually stands, Book a Free Cybersecurity Strategy Call. It is a 20-minute conversation with our team – no sales pressure, no obligation – and you will leave with a clearer picture of your exposure than most small businesses ever get. You can also learn more about how we work on our services page.

Let’s Talk About Your IT Strategy

If anything in this post raised a question about your own environment, the fastest path to an answer is a 20-minute strategy call. We’ll look at your specific situation and tell you what we’d actually do about it.

Schedule a 20-Minute Strategy Call