In February 2025, UnitedHealth Group’s subsidiary, Change Healthcare, experienced what is now considered the most disruptive cyberattack in U.S. healthcare history. The breach halted payment processing, prescription claims, and medical billing across millions of transactions. While most headlines have moved on, the real-world impact for employers is only beginning to surface.

This wasn’t just a carrier-side event. Employer-sponsored health plans—fully insured and self-funded alike—were affected by the freeze in claims infrastructure, the compromise of protected health information (PHI), and vendor communications failures. In a market where HR teams are already stretched and plan costs are rising, the fallout has exposed significant blind spots in employer health plan administration and risk governance.

What Happened?

On February 21, 2025, a ransomware group identified as ALPHV (BlackCat) breached systems at Change Healthcare, which processes more than 15 billion transactions annually. The company sits at the center of the healthcare data supply chain—used by hospitals, pharmacies, TPAs, PBMs, and carriers to route and reconcile claims.

Key impacts included:

• Disruption of pharmacy claims, eligibility verification, and prior authorizations nationwide
• Delayed payments to healthcare providers, some exceeding 30 days
• Exposure of medical and payment data for potentially tens of millions of individuals
• Employer costs spiked temporarily as manual override requests flooded HR and broker channels

What This Breach Reveals About Employer Blind Spots

Even employers with top-tier TPAs, broker support, and cyber insurance were caught off guard. Why? Because their data risk lives beyond their firewall. When a vendor like Change Healthcare goes down, the employer’s ability to process claims, track utilization, or support an employee at the pharmacy can collapse overnight.

Common blind spots include:

• Lack of vendor mapping—Employers don’t know which subcontractors their TPA or PBM relies on
• Missing cyber liability carve-outs—Policies exclude vendor-side breaches unless explicitly stated
• No language in benefits contracts requiring cybersecurity protocols or breach notification timelines
• Outdated PHI access controls—Many brokers, TPAs, and enrollment vendors retain sensitive data indefinitely

What Employers Should Be Doing Now

• Request formal vendor disclosures—Ask carriers, TPAs, and PBMs if and how they were affected by the Change Healthcare breach
• Audit your PHI flow—Understand who touches protected health data from onboarding to claim payment
• Review benefit administration contracts for cybersecurity, breach response, and indemnification language
• Confirm your cyber insurance covers vendor-side data compromises involving plan-related information
• Coordinate with your broker to map your plan’s third-party ecosystem—including PBMs, routers, and reconciliation tools

Even employers with insured plans are not immune. While your insurer may handle the claims, your organization is still responsible for employee communication, internal policy compliance, and plan fiduciary oversight.

Final Thought

The Change Healthcare cyberattack may be over—but the lessons for employers are just beginning. This event revealed just how much risk is outsourced, invisible, and under-managed in the average employer-sponsored health plan.

Cybersecurity is no longer just an IT issue—it’s an HR, finance, and governance concern. And like most risks, the cost of prevention is far lower than the cost of recovery.

Atria works with employers to review health plan contracts, identify data exposure gaps, and build cyber resilience into plan design—not just technology. Let’s make sure your benefits infrastructure is as secure as your intent to serve your people well.