On February 21, 2024, Change Healthcare disconnected its systems after detecting a ransomware attack later attributed to the ALPHV/BlackCat group. Three weeks later, the country is still feeling it, and the message for ASC leadership is direct: vendor concentration risk is now a clinical risk, and the documentation gaps it exposes are unforced errors.
Change Healthcare processes roughly 15 billion transactions per year and, by its own estimates, touches one in three patient records in the United States. When a node that central goes offline, the downstream effects do not stay financial.
What the numbers say so far
The American Hospital Association surveyed members in early March. Seventy-four percent of responding hospitals reported direct impact on patient care, ranging from delayed authorizations to manual workarounds for medication histories. The American Medical Association found that 80 percent of physician practices have lost revenue from unpaid claims, 36 percent have experienced delays in claim repayment, and 32 percent have been unable to submit claims at all.
For ASCs, which operate on thinner working capital than hospital systems and rely heavily on clean electronic claim submission, the cash-flow exposure has been particularly acute. Centers that depend on Change Healthcare for clearinghouse, eligibility, or ePrescribing controlled substances have had to stand up workarounds in days, not weeks.
The HIPAA angle nobody wants to talk about
Change Healthcare is a Business Associate to most of its customers. That means a breach affecting protected health information is, contractually and statutorily, your breach to investigate and potentially to notify on. UnitedHealth Group, the parent company, has acknowledged that protected health information was likely exfiltrated. The scope is still being determined, but ASCs that routed claims, eligibility checks, or remittance through Change should be:
- Pulling their Business Associate Agreement with Change Healthcare and confirming notification timelines
- Documenting which PHI data elements flowed through the platform
- Logging the incident in their internal HIPAA breach assessment workflow, even before final scope is confirmed
- Preserving all communications from UnitedHealth and Optum for the eventual Office for Civil Rights inquiry
Five things to fix while this is still fresh
- Map your vendor concentration. List every vendor that, if offline for two weeks, would stop you from billing, scheduling, or delivering care. If a single name appears in more than two rows, that is concentration risk.
- Inventory Business Associate Agreements. Confirm you have current, signed BAAs with every vendor that touches PHI, and that the agreements include current breach-notification language consistent with the HIPAA Omnibus Rule.
- Build a payer-disruption playbook. Document the manual fallback for eligibility, prior auth, claim submission, and ERA posting. Name the person who owns each fallback.
- Tighten incident response. The first 72 hours of an event like this set the regulatory tone. Decide now who declares an incident, who notifies counsel, and who logs the timeline.
- Stress test your cash position. Many ASCs discovered in late February that they had less than 30 days of operating runway absent normal claim turnaround. Plan for the next event, not this one.
Quick win
Pull a list of every vendor your ASC sends or receives PHI from. For each, confirm: BAA on file, expiration date, and a primary contact you could reach by phone tomorrow. The exercise takes an afternoon and reliably surfaces two or three relationships that are out of date.
The structural problem
Healthcare has consolidated its plumbing over the last decade. That delivered efficiency in normal conditions, and a single point of failure in abnormal ones. Regulators will respond, almost certainly with sharper expectations around vendor due diligence, breach notification timing, and minimum cybersecurity standards for entities that handle PHI at scale. ASCs that get ahead of this now, by documenting their vendor footprint and tightening their incident response, will spend less time reacting to the next round of guidance.
None of this is theoretical anymore. The disruption is the case study.
How DocForms helps
Vendor Management maintains the live register of every vendor, the PHI they handle, the status of their Business Associate Agreement, and the renewal date, so concentration risk is visible at a glance rather than reconstructed under pressure.
Incident Reporting captures the breach assessment, the timeline of internal notifications, and the supporting documentation required for HIPAA breach evaluation and any subsequent OCR inquiry.
EHR Integration records how data flows between your clinical system and downstream clearinghouses, which is the artifact you reach for first when a vendor goes offline and you need to know what stopped working and why.