The February 21, 2024 cyberattack on Change Healthcare disrupted U.S. healthcare billing for months, with some practices unable to submit claims, verify eligibility, or receive electronic remittance for the better part of a quarter. UnitedHealth Optum continued processing settlements through 2025 and into 2026, and HHS Office for Civil Rights opened the largest HIPAA breach investigation in the agency’s history. For practices, the lasting question is operational, not legal: how does the billing operation keep running if the primary clearinghouse goes dark again. Many practices still have not built the answer, and 2026 is the year to do it.
What the Change Healthcare attack actually did
Change Healthcare processed roughly 15 billion healthcare transactions per year before the attack, including eligibility verification (270/271), claim submission (837), claim status (276/277), and electronic remittance (835). When the platform went offline, practices that depended on Change Healthcare lost most of their EDI infrastructure simultaneously. Backup paths varied widely. Some practices had a secondary clearinghouse already configured and switched within days. Others had no backup and waited weeks or months for restoration. The financial impact for affected practices ranged from short-term cash flow disruption to existential threat for smaller groups.
The exposure most practices still have
Despite the lessons, surveys conducted in 2025 indicate a substantial portion of medical practices still rely on a single clearinghouse without a documented backup. The reasoning is usually cost (a secondary clearinghouse contract, even at low volume, has a base fee) or complexity (configuration takes time and IT resources). Both reasons were also true before February 2024, and they were not enough to justify the post-attack damage. The current calculation should put a price on the next outage and weigh the backup contract against that price.
Backup clearinghouse fundamentals
A functional backup clearinghouse contract has four characteristics. First, the secondary vendor is a different parent company from the primary, with different infrastructure dependencies. Second, payer connections are pre-configured and tested, not just contracted. Third, the practice management system or billing platform supports switching the EDI gateway without code changes. Fourth, the practice runs a test transaction through the secondary at least quarterly to confirm the path is live. Practices that have all four can switch within hours of a primary outage. Practices that have only the contract typically need a week or more to make the secondary functional in real conditions.
Direct payer connections as a fallback
For the largest payers in a practice’s mix, direct connections through the payer’s portal or proprietary interface can serve as a tertiary fallback when both primary and secondary clearinghouses are unavailable. Direct connections are typically more time-consuming per transaction, so they are not a primary path, but they keep cash flowing for the largest claim volumes during extended outages. Most major Medicare Administrative Contractors, several large commercial payers (UnitedHealthcare, Aetna, Cigna, BCBS plans), and most state Medicaid programs offer direct submission paths that practices can use without a clearinghouse.
Cash flow buffer planning
The Change Healthcare attack demonstrated that even practices with strong A/R management can run out of cash inside 60 days when EDI stops. The buffer that protects against the next outage has three components. First, a working capital reserve sized to two months of operating expenses, ideally held in a separate account from operating cash. Second, a pre-approved line of credit that can be drawn on rapidly without underwriting delay. Third, a relationship with a healthcare-specific lender or factoring partner who understands the receivables and can advance against unbilled claims if needed. Each of these takes time to set up before an event, not during one.
Vendor diligence before signing
Selecting clearinghouse and billing technology vendors with continuity in mind requires asking specific questions before contracting. Where is the data hosted, and is it on infrastructure shared with other large vendors targeted for attack. What are the vendor’s incident response and recovery time commitments. Has the vendor disclosed any breaches in the prior three years, and what was the impact. Does the vendor offer redundancy across multiple data centers and providers. Are SOC 2 Type II reports current. Practices that ask these questions during vendor selection have stronger partners; practices that take the lowest price often get exactly what they paid for during the next disruption.
Cyber insurance and what it covers
Cyber insurance has become a standard practice expense, but coverage scope varies widely. Policies typically cover business interruption from a covered cyber event, breach response costs, regulatory defense and fines, and third-party liability. Policies often exclude vendor-induced outages (the Change Healthcare attack would be excluded under some policies because the practice itself was not breached). Reading the policy with attention to vendor-induced disruption coverage, business interruption thresholds, and waiting periods is the difference between a meaningful safety net and a false sense of security.
How MHB helps practices build continuity
For practices that want a billing partner with documented backup clearinghouse paths, redundant EDI infrastructure, and direct payer connections in place, our team handles end-to-end medical billing operations with built-in continuity across multiple EDI gateways and tested fallback procedures.
The bottom line
The Change Healthcare attack was a stress test, and many practices did not pass it. The next outage will not give a long warning. Practices that build a backup clearinghouse, direct payer fallbacks, and a working capital buffer absorb the next disruption without losing the practice. Practices that put off the work until after the next event will pay for the lesson again.
Authoritative sources
This article cites the following primary sources for billing-code and regulatory guidance. Always confirm current rules and codes with the publishing authority before applying to a specific claim.
