Corporate consolidation is increasing, particularly in data-heavy sectors like healthcare, where merging companies aim to improve efficiency, offer more integrated services, and expand market power. However, as recent cyber-attacks have shown, consolidation centralizes risk, creating single points of failure that make businesses more vulnerable to attacks. One notable case is the 2024 cyber-attack on US healthcare technology company, Change Healthcare, following its merger with United Health Group’s Optum, which left the healthcare industry in chaos.

This article explores how consolidations like the Change Healthcare and Optum merger create vulnerabilities and how centralizing data and services can make large corporations prime targets for cybercriminals. We’ll also explore why businesses need to broaden their cyber security training and awareness to prepare for risks that go beyond their own organization.

In early 2022, Change Healthcare and Optum completed a $7.8 billion merger, which brought together enormous amounts of healthcare data and operational services. Change Healthcare played a critical role in processing healthcare claims, managing over 15 billion transactions annually. This merger was expected to streamline healthcare solutions and enhance data accessibility for providers and insurers.

However, in February 2024, the merged entity fell victim to a significant cyber-attack by the ransomware group BlackCat/AlphV. The attackers exploited a Citrix portal that lacked multifactor authentication (MFA), allowing them to steal six terabytes of sensitive data. This breach affected healthcare providers, insurers, and patients, with the total cost of the response now predicted to be between $2.3 billion and $2.45 billion in recovery expenses and a $22 million ransom paid in Bitcoin.

The fallout from this attack was immense. Hospitals and pharmacies were unable to process claims, leading to widespread financial strain. Rural practices, in particular, were hit hard, with some left on the brink of bankruptcy. The attack exposed the vulnerability created by consolidating critical healthcare infrastructure into a single, centralized system and the limitations of focusing cyber security preparedness only on internal threats.

Mergers combine systems and data streams, expanding the overall attack surface for cybercriminals to exploit. For sectors like healthcare, this means unifying extensive amounts of sensitive data—personal health records, financial information, and operational details—into a single target. A breach in a consolidated system offers attackers access to vast quantities of data in one fell swoop.

Mergers often demand rapid scaling, and cybersecurity can fall by the wayside in the rush to integrate operations. During these transitional phases, companies are particularly vulnerable, with the focus primarily on business operations rather than on ensuring robust cybersecurity across newly merged assets or the security and interconnectedness of third-party vendors.

Centralizing services creates dependencies on a single infrastructure, which becomes a significant vulnerability. If breached, the effects can ripple across an entire organization. In the Change Healthcare attack, this centralization disrupted claims processing, with the attack halting operations across many healthcare facilities. The lack of basic security controls, such as multifactor authentication, worsened the breach by enabling lateral movement within the system.

While consolidation introduces risks, increasing vulnerabilities and entry points into interconnected data systems and single points of failure, the Change Healthcare breach also highlights a critical gap in cybersecurity readiness: most crisis exercises focus solely on what happens if a company is attacked directly, not on what happens if their vendors or third-party providers are compromised. This narrow focus leaves organizations unprepared for the real-world complexities of third-party attacks.

Expanding cyber crisis exercises to include third-party and vendor attacks can help businesses better prepare for these risks. These scenarios can reveal hidden vulnerabilities in the supply chain, allowing companies to test and refine their response strategies in a safe environment.

By including vendor-related risks in crisis management exercises, companies can improve coordination with their partners, ensuring smoother communication and response protocols during an actual event. This shift in focus from internal-only defenses to a broader, interconnected strategy – can make a significant difference in mitigating damage from future cyber-attacks.

The Change Healthcare cyber-attack underscores the hidden costs of consolidation and the urgent need for more comprehensive cybersecurity preparedness. Larger, consolidated organizations with centralized systems are attractive targets for cybercriminals, and the wider impact of breaches can be devastating. However, these risks can be mitigated by expanding crisis training and preparedness beyond internal threats to build greater resilience.