Change Healthcare breach: The cyberattack's impact 2 years later
Vendor Accountability Collapse: Why the Change Healthcare Breach Remains a Governance Failure Two Years Later
Framing: The Contractual and Regulatory Reckoning
Two years after the Change Healthcare cyberattack, the case has evolved from a discrete security incident into a structural indictment of vendor risk governance across healthcare. Change Healthcare processes claims, payments, and clinical data for thousands of providers—making it a critical infrastructure node. Yet the persistence of litigation, unresolved liability allocation, and ongoing operational disruption suggests that neither contractual frameworks nor regulatory oversight adequately constrained the vendor's security obligations or enforced accountability to downstream customers. For boards, procurement teams, and compliance officers, this case represents a governance failure at multiple levels: vendor selection, contractual design, incident response coordination, and regulatory enforcement. The question is no longer whether breaches happen—it is whether organizations have contractual and operational mechanisms to contain liability and enforce remediation when they do.
The Intermediary Risk Model Remains Unregulated
Change Healthcare's role as a critical intermediary—processing claims and payments across thousands of dependent healthcare organizations—creates a single point of failure with cascading consequences. The breach exposed a structural weakness in healthcare supply chain governance: critical service providers operate with security investments and contractual accountability that do not reflect their systemic importance. Two years later, the fact that litigation remains ongoing suggests vendor agreements failed to establish clear liability allocation, notification timelines, or remediation obligations. Most healthcare organizations accepted standard vendor terms that shift operational risk downward without corresponding indemnification, service level guarantees, or breach response protocols. This pattern is not unique to healthcare; it reflects a broader governance gap across regulated sectors where critical vendors occupy privileged positions in data flows but operate under contractual frameworks designed for commodity services.
Contractual Enforcement Mechanisms Remain Absent
The ongoing litigation reveals a critical contractual governance failure: vendor agreements did not establish binding mechanisms for incident notification, root cause analysis disclosure, or customer compensation. Healthcare providers faced operational disruption and financial losses, yet contractual pathways for recovery remain contested and protracted. This reflects a systemic problem in vendor risk management: organizations negotiate service levels for uptime and performance but fail to establish equivalent clarity around breach response, liability caps, and customer notification obligations. Under emerging regulatory frameworks like NIS2 and DORA, critical service providers now face explicit obligations for incident reporting, customer notification within defined timeframes, and demonstrable remediation. The Change Healthcare case foreshadows this regulatory environment: vendors must prove not only that breaches are contained, but that affected customers are informed, supported, and compensated according to contractual and regulatory timelines. The absence of such clarity in existing agreements suggests many healthcare organizations lack contractual levers to enforce these expectations or recover losses.
The Governance Gap: Pre-Contract Due Diligence Without Post-Incident Accountability
Most vendor risk assessments focus on pre-contract security questionnaires and compliance certifications but fail to establish ongoing monitoring, contractual enforcement mechanisms, or escalation protocols for incidents of this magnitude. The two-year timeline of the Change Healthcare breach reveals this gap: organizations conducted initial vendor due diligence but lacked mechanisms to enforce remediation, verify security improvements, or hold the vendor accountable for operational impact on downstream customers. This reflects a broader pattern in supply chain governance: risk assessment is front-loaded into procurement, while post-incident accountability is diffused across legal, compliance, and operations teams with unclear authority and contractual leverage. Organizations should use the Change Healthcare case to stress-test their own vendor contracts, incident response protocols, and supply chain visibility mechanisms. Critical questions include: Do your vendor agreements establish notification timelines measured in hours, not days? Do contracts allocate liability for downstream customer losses? Are there contractual mechanisms to enforce root cause analysis and remediation timelines? Do you have visibility into your vendor's security posture on an ongoing basis, or only at contract renewal?
Regulatory Enforcement Will Accelerate Contractual Clarity
As NIS2 and DORA implementation accelerates across the EU and influences global regulatory expectations, critical service providers will face explicit obligations for incident reporting, customer notification, and demonstrable security investment. The Change Healthcare case illustrates what happens when these obligations are absent: litigation becomes the primary mechanism for accountability, and remediation timelines extend years beyond the initial breach. Regulators will increasingly expect organizations to demonstrate that vendor contracts reflect regulatory requirements for notification, liability allocation, and remediation. The absence of such contractual clarity will itself become a governance failure—not just a risk management gap, but a regulatory violation. Healthcare organizations and other regulated entities should begin now to audit vendor agreements against emerging regulatory standards, establish incident response protocols that include vendor escalation and customer notification timelines, and implement ongoing vendor security monitoring mechanisms that go beyond annual questionnaires.
Closing Reflection
The Change Healthcare breach, two years later, remains unresolved not because the technical incident was complex, but because vendor governance frameworks failed to establish clear accountability, contractual enforcement mechanisms, or regulatory oversight. Organizations across healthcare, finance, energy, and critical infrastructure should treat this case as a governance stress test: review your vendor contracts for clarity around breach notification, liability allocation, and remediation obligations; establish ongoing vendor security monitoring mechanisms; and ensure incident response protocols include vendor escalation and customer communication timelines. The regulatory environment is shifting toward explicit requirements for these mechanisms. Organizations that wait for regulatory enforcement to clarify these obligations will face the same protracted litigation and operational disruption that Change Healthcare customers have endured. For the full context and ongoing developments in this case, review the original Modern Healthcare reporting.
Original Source: Modern Healthcare, "Change Healthcare breach: The cyberattack's impact 2 years later," by Hayley DeSilva, February 19, 2026. https://www.modernhealthcare.com/health-tech/cybersecurity/mh-change-healthcare-breach-cyberattack-lawsuit-claims/