Nobody in healthcare policy talks about revenue cycle management. It doesn’t appear in speeches about the future of medicine. It doesn’t generate op-eds. And yet, in February 2024, when hackers breached Change Healthcare, the subsidiary of UnitedHealth Group that processes 15 billion transactions annually and touches one in every three patient records the fallout didn’t look like a billing problem. It looked like a system failure. Hospitals couldn’t get paid. Pharmacies couldn’t confirm coverage. Small practices started making decisions about whether to make payroll or keep the lights on.
A March 2024 American Hospital Association survey of nearly 1,000 hospitals found that 94% reported a financial impact, 74% reported direct patient care impact including delays in medically necessary authorizations, and 33% said the attack disrupted more than half of their revenue. Kodiak Solutions, which tracks claims data for over 1,850 hospitals and 250,000 physicians, found that the cash value of claims submitted through its database fell 63% in the first weeks after the attack, with delayed cash flow exceeding $2.5 billion within a single week. Sixty percent of hospitals required between two weeks and three months to resume normal operations after Change Healthcare’s systems were eventually restored.
How We Got Here
For most of the last century, healthcare administration was treated as a necessary but unglamorous function, the part of the hospital that didn’t save lives but kept the organization solvent. Billing staff processed claims. Coders translated physician notes into reimbursable codes. Denials got appealed. It was labor-intensive, paper-heavy, and largely localized to the institutions it served.
That model is gone, and its disappearance has been faster than the governance frameworks meant to manage it. The shift toward value-based care, real-time payer-provider data exchange, and cloud-hosted revenue cycle platforms has turned healthcare administration into a distributed digital network, one that spans vendors, clearinghouses, government reporting systems, and an ever-expanding constellation of third-party integrations. A typical hospital now manages relationships with over 1,300 vendors, according to the 2025 Healthcare Cybersecurity Benchmarking Study. Every one of those connections is a dependency. And in 2024, the entire sector found out what happens when one of the largest dependencies breaks at scale.
What’s striking about the Change Healthcare incident isn’t that it happened, it’s that it surprised people. The concentration risk was visible. A single vendor processing that proportion of U.S. healthcare transactions, later confirmed by HHS’s Office for Civil Rights to have exposed the data of approximately 192.7 million individuals, was a known architectural fragility. Senate Finance Committee testimony later confirmed that attackers gained access on February 12, 2024 through compromised credentials on a Citrix remote access portal that lacked multi-factor authentication. The vulnerability was not exotic. It was elementary. But because the function sat in the administrative layer, it didn’t attract the scrutiny that clinical systems do.
The AI Problem Nobody Is Naming Correctly
The conversation about AI in healthcare administration has been dominated by efficiency arguments, and they’re not wrong. Denial prediction models, AI-assisted coding validation, and automated eligibility verification have measurable value. They’re increasingly necessary: according to an analysis published in Medical Economics, 41% of healthcare providers now report that more than one in ten of their claims is denied, up from 30% just three years ago. HFMA analysis puts the initial denial rate at nearly 12% in 2024, and estimates that up to 65% of denied claims are never reworked, meaning a significant share of lost revenue is simply written off. The administrative problem AI is being asked to solve is real and worsening.
Industry practitioners who have navigated this tension point to hybrid models as the practical middle ground. “The organizations getting this right aren’t replacing coders with AI, they’re restructuring what coders do,” said Yogesh Kumar V, Director – Operations at OutsourceRCM, in a recent interview. “AI handles the volume. Humans handle the judgment. The mistake is assuming those are the same job.” That framing, AI as an accelerant for human expertise rather than a substitute for it, reflects a more mature operational philosophy than the pure automation narrative that dominates vendor pitches.
When a human coder makes a mistake, it affects one claim. When an AI model develops a systematic error, because payer rules changed, because documentation practices shifted in ways the training data didn’t capture, because the model was misconfigured during an update, it can affect tens of thousands of claims before anyone notices. The efficiency gains that make AI valuable are the same properties that make its failure modes dangerous. High-volume, low-oversight automation doesn’t just move fast. It moves fast in the wrong direction when something goes wrong.
This isn’t an argument against AI adoption. It’s an argument that the oversight frameworks need to scale alongside the automation. HFMA has called for model validation protocols and audit trails to be built into AI procurement requirements, not left to vendor discretion after deployment. That gap, between AI capability and AI governance, is where the next category of administrative risk is forming.
The Vendor Risk Problem Is Now Quantified
The Change Healthcare breach was the most visible example of a structural pattern. According to the 2025 Healthcare Cybersecurity Benchmarking Study, 72% of healthcare data breaches are now linked to third-party vendors. SecurityScorecard’s 2025 Global Third Party Breach Report found that 41% of all third-party breaches across industries impacted healthcare, the highest share of any sector. A peer-reviewed analysis published in Health and Technology (Springer Nature, December 2025), which examined 831 ransomware incidents reported to HHS-OCR between 2016 and 2024, found that 33.8% involved a business associate, and that when those incidents were very large, defined as affecting 100,000 or more individuals, business associate involvement significantly predicted greater breach scale.
Healthcare has led all industries in breach cost for 14 consecutive years. The 2024 average reached $7.42 million per incident according to HIPAA Journal, with total industry losses from ransomware downtime alone exceeding $21.9 billion in 2024. Breaches also take longer to detect and contain in healthcare than in any other sector, an average of 279 days, compared to 168 days in financial services.
The governance implication is direct: business associate agreements that specify compliance requirements on paper, but are never independently verified in practice, are not risk management. They’re documentation. The AHA has noted that 85% of the largest healthcare data breaches originate from attacks on third-party vendors or non-hospital healthcare organizations. A signed BAA does not audit a vendor’s actual security posture, and most healthcare organizations have never done the latter.
The Regulatory Gap Is an Implementation Gap
HIPAA’s Security Rule has existed since 2003. The HITECH Act strengthened it in 2009. The regulatory framework for healthcare data governance in the U.S., whatever its limitations, is not new. And yet the gap between what the regulations require and what organizations actually implement remains substantial.
The Change Healthcare breach is instructive here. The absent multi-factor authentication on a remote access portal is not a sophisticated governance failure. It is a basic one, of the kind that HIPAA’s technical safeguard requirements are specifically designed to prevent. The breach didn’t happen because the rules were inadequate. It happened because a dependency had grown larger than the governance mechanisms watching it.
HHS has since proposed updates to the HIPAA Security Rule that would make multi-factor authentication and encryption mandatory requirements for all electronic protected health information. OCR penalty enforcement increased 340% between 2024 and 2025, with Tier 3 and 4 violations now accounting for 67% of all financial penalties. The regulatory environment is tightening, but enforcement follows breaches rather than preventing them.
Internationally, the picture is more uneven. GDPR creates meaningful accountability pressure in the EU context. Australia’s Privacy Act amendments have tightened requirements in the Asia-Pacific region. But in many markets where healthcare administrative functions are increasingly being performed, driven by labor cost arbitrage, with offshore operations accounting for nearly 60% of healthcare BPO revenue in 2024 according to Mordor Intelligence, the regulatory frameworks are far thinner than the risk profile warrants. That mismatch is not theoretical. It is where the next major incident is likely to originate.
What Actually Needs to Change
The honest version of the policy prescription is less tidy than most analyses acknowledge.
Some of it is structural. The healthcare sector needs to start treating its administrative infrastructure with the same seriousness it applies to clinical systems. That means real vendor audits, third-party verified security certifications, not self-reported compliance, as a condition of partnership. HFMA and HITRUST have both developed frameworks for exactly this kind of independent validation; the barrier is not the absence of standards but the absence of procurement requirements that enforce them. It means business continuity planning that explicitly accounts for clearinghouse failures and payment processor outages. The AHA now recommends that healthcare organizations maintain downtime procedures capable of sustaining operations without core technology systems for at least four weeks, a benchmark that most organizations have not tested.
Some of it is cultural, and that’s harder. Healthcare organizations have historically been much better at managing clinical risk than operational risk. Clinical failures are visible, immediate, and carry legal exposure that focuses institutional attention. A revenue cycle failure tends to show up as cash flow stress weeks later, and the causal chain is opaque enough that accountability diffuses. The at-risk dollar figure in revenue cycle operations reached $11.2 million per organization in 2024, a fivefold increase, which suggests the financial stakes are now large enough to demand the same institutional attention as clinical risk.
The Change Healthcare incident was a stress test that most of the industry failed to prepare for, despite the risk being visible in advance. It won’t be the last one. The question is whether the sector’s response produces durable change in how administrative dependencies are governed, or whether it produces a round of policy statements, a procurement cycle for cybersecurity tools, and a return to the status quo the next time the urgency fades.
Based on how the sector has historically responded to operational near-misses, there is reason for skepticism. But 192.7 million affected individuals and $21.9 billion in ransomware losses in a single year may have finally made the risk legible enough to sustain attention.
That’s not optimism. It’s a conditional.
