Washington Turned Healthcare Into A Data Breach Machine

The title is not hyperbole. Federal policy choices have produced a health information ecosystem where one compromised vendor can stall national claims flows and expose the data of a population the size of multiple states. A single incident at UnitedHealth Group subsidiary Change Healthcare has now been tied to roughly 192.7 million affected individuals, according to figures posted by the Office for Civil Rights at the Department of Health and Human Services. This is the clearest demonstration of a system engineered for convenience and scale rather than resilience and verifiable controls. (HHS.gov, Reuters)

The Baseline Was Permissive By Design

The core federal safeguard for electronic protected health information, the HIPAA Security Rule, had not been materially updated since 2013. Only in January 2025 did HHS publish a Notice of Proposed Rulemaking to modernize requirements such as multi-factor authentication, encryption, vendor notification, and tested contingency planning. Proposed rules are not protections. Years of reliance on flexible, risk-based language left regulated entities and their business associates with wide discretion to defer basic hardening while adversaries industrialized ransomware and data-extortion models. (Federal Register, Reuters)

HHS attempted to close the gap with voluntary Healthcare and Public Health Cybersecurity Performance Goals. The goals point in the right direction and mirror the Cybersecurity and Infrastructure Security Agency cross-sector framework, yet “voluntary” does not move budgets in a sector strained by staffing shortages, negative operating margins, and legacy tech debt. Voluntary guidance without deadlines is an invitation to postpone controls until after a breach. (hhscyber.hhs.gov, CISA)

Oversight Fragmentation Helped Vulnerabilities Persist

As the sector risk management agency for healthcare, HHS holds the coordinating role for cyber resilience. The Government Accountability Office has repeatedly flagged leadership and implementation gaps, including challenges executing responsibilities and dozens of open priority recommendations. Fragmented accountability across operating divisions has meant slow progress turning lessons into enforceable baselines, leaving hospitals and vendors to interpret expectations unevenly. GAO’s 2024 and 2025 reviews underscore how policy lag maps directly to real-world exposure. (GAO)

One Vendor Became A National Single Point Of Failure

The Change Healthcare attack demonstrated what happens when payment plumbing centralizes in a few clearinghouses and switching services. Disruption rippled from scheduling to prescription fulfillment to revenue cycle, while data exposure mounted each month as forensics unfolded. With 192.7 million individuals now estimated as affected, the event is the largest healthcare data compromise on record and a case study in what policy allowed to form: concentration with limited segmentation, weak vendor-risk visibility, and unclear accountability for downstream harms. (Reuters, HHS.gov)

The Scale Of Losses Was Predictable

Independent tallies show that 2024 already set unprecedented records for individuals affected by healthcare data breaches, even before the updated Change Healthcare totals. Breaches of 500 or more records are now a near-daily occurrence, and the number of people swept up in exposures has accelerated faster than the count of incidents. In this context, a catastrophic clearinghouse breach was not a black swan. It was the logical consequence of permissive baselines, slow rulemaking, and tolerance for concentrated intermediaries. (The HIPAA Journal)

Washington’s Current Fix Is Not Enough

HHS’s proposed Security Rule would harden critical controls. It is overdue and necessary. Yet relying on a single rulemaking to repair a fragile market design will not prevent the next mass breach. GAO’s open recommendations highlight the broader work still pending, from clarifying roles and responsibilities to tightening sector-wide coordination. Meanwhile, hospitals warn that unfunded mandates will strain budgets, which risks uneven adoption if requirements land without targeted support for smaller facilities. A credible plan must combine mandates with financing mechanisms and procurement levers that reward measurable security outcomes rather than paper compliance. (Reuters, GAO, Axios)

How Federal Policy Turned Risk Into Routine

Three decisions created today’s breach machine. First, federal regulators treated minimum controls as negotiable for more than a decade, which normalized weak identity management, flat networks, and inconsistent backup testing. Second, oversight tolerated a clearinghouse and billing ecosystem where operational convenience outweighed segmentation and failover. Third, Washington leaned on voluntary guidance and post-incident investigations rather than proactive, measurable benchmarks tied to payment policy. The result is a system where attackers only need to breach one vendor to harvest tens of millions of records and interrupt care-adjacent services nationwide. Each of these conditions is reversible through policy.

What A Serious Federal Response Would Do

Mandate the HPH Cybersecurity Performance Goals as a phased baseline for all covered entities and business associates. Set early effective dates for controls that foreclose common ransomware paths, including multi-factor authentication, privileged-access management, tested offline backups, and network segmentation. Couple mandates with technical assistance and grant funding for rural and community providers to prevent a two-tier security market. Then align compliance with verification by hardwiring measurable control checks into Medicare participation and large federal contracting. Voluntary goals should become auditable requirements. (hhscyber.hhs.gov)

Second, treat clearinghouses and other high-leverage intermediaries as critical nodes with explicit resilience obligations. Require tested contingency plans, cross-vendor failover, and rapid notification timelines that are enforceable, not aspirational. The HIPAA NPRM sketches timelines for vendor communications and incident response. That approach can be extended through payment policy so that claims don’t hinge on a single operator’s uptime. The objective is to eliminate single points of failure and keep pharmacies, practices, and hospitals functioning even when one node is compromised. (Federal Register, Reuters)

Third, fix federal coordination. HHS should close GAO’s priority recommendations on schedule and publish an annual, public scorecard that shows sector progress against concrete performance goals. The scorecard should include breach-impact metrics, time to containment, control adoption rates, and dependency maps for large intermediaries. Making dependency risk visible will change board-level incentives and force rationalization of brittle vendor chains that magnify blast radius. (GAO)

Anticipating The Common Objections

Some argue that prescriptive security rules will overburden smaller providers. That concern is valid, which is why financing must be paired with mandates. Others contend that cyber risk is an unavoidable cost of digitization. The evidence says otherwise. The proposed Security Rule and the CISA-aligned goals reflect widely adopted practices that reduce successful attacks in other critical sectors. Healthcare has not failed because the controls are unknowable. It has failed because policy made the right controls optional while market structure rewarded scale efficiencies over resilience. (Reuters, CISA)

The Point

Washington did not set out to build a data breach machine. It happened through regulatory deferral, tolerance for concentration, and a belief that voluntary guidance would be enough. The path forward is clear. Finalize a modern Security Rule on an accelerated timeline. Convert the HPH goals into enforceable baselines backed by funding. Treat clearinghouses and other intermediaries as critical infrastructure with explicit resilience obligations. Close GAO’s priority recommendations and publish a scorecard that makes progress transparent. Until these steps are taken, the next mass breach is not a possibility. It is the system working as designed. (Federal Register, hhscyber.hhs.gov, GAO)