When Change Healthcare got hit in February, therapists across the country couldn’t get paid. Clients couldn’t book appointments. Some clinics cut hours. Others closed. The attackers never targeted your organization directly. They didn’t have to. One unlocked door somewhere else was enough to disrupt care everywhere.
Change Healthcare handles billing and insurance claims for a huge portion of the healthcare system. Even if you’ve never heard of them, your organization probably felt the impact: payment delays, claim backlogs, tech disruptions that lasted weeks. This company processes 15 billion healthcare transactions annually, touching one in every three patient records, according to the (American Hospital Association, 2024). When their systems went down, the ripple effects reached behavioral health clinics in small towns that had never signed a direct contract with Change Healthcare but depended on them through billing clearinghouses or insurance networks.
This wasn’t just an IT problem. This was a people problem. Cybersecurity is a trust issue between providers and patients, between staff and systems, and between organizations and the people they serve. When clients sit across from you, they’re trusting you with their deepest struggles. That trust extends to how you handle their information.
Why the Government Is Paying Attention
The federal government recently published Cybersecurity Performance Goals for healthcare. They sound technical, but they’re really about doing the basics well: using strong passwords, backing up data, training staff, keeping systems patched and protected. (HHS, 2024) developed these goals to help healthcare organizations prioritize high-impact practices that directly address the most common attack vectors.
Every person in the organization functions as a firewall. Some are stronger than others. You get to choose which kind you want to be. Most breaches start with human interaction, whether that’s clicking a malicious link, using a weak password, or accidentally sharing credentials. The Change Healthcare breach started when attackers gained access through a remote login portal that lacked multi-factor authentication, as revealed in (congressional testimony, 2024). Once inside, they moved through systems and stole data belonging to roughly 100 million Americans. Your daily actions can prevent similar scenarios at your organization.
What You Can Do Right Now
You already carry enough. These aren’t additional tasks. They’re small shifts in habits you already have. Security starts with the person in the chair before it ever reaches the server rack.
Be careful with links and attachments, even from known senders. In one devastating case, attackers breached Finland’s largest psychotherapy provider and didn’t just steal data. They directly extorted patients, including minors, with their own therapy notes. Research in (PLOS Digital Health, 2023) documents how cyberattacks targeting mental health providers can weaken or destroy trust between service users and providers, adding to the stigma around seeking treatment. Email remains the primary entry point for most attacks. Before clicking any link or downloading any attachment, hover over it to see where it actually leads. Here’s a concrete example: an email from your supervisor asking you to click a link to verify payroll information when you just saw them in the hallway. If something feels even slightly off, forward it to your IT team or delete it.
Never share your login credentials with anyone. Use unique credentials for every system. Shared logins create accountability gaps and security vulnerabilities. When everyone uses the same credentials, auditors can’t track who accessed what information or when. If that shared password gets compromised, every person who knows it becomes a potential entry point. Individual accounts with strong, unique passwords create natural barriers that contain breaches before they spread.
Log out of systems when you’re done for the day. An unlocked computer with active sessions gives anyone who walks by immediate access to patient records, clinical notes, and billing information. It takes five seconds to log out and could prevent weeks of breach response.
Report anything weird immediately. Slow computers, strange pop-ups, suspicious emails, unfamiliar login prompts, or unusual system behavior all warrant attention. (CISA, 2024) emphasizes that healthcare staff need to know what to do in a cyber incident and provides free resources specifically for recognizing and reporting potential security incidents. Your IT team can’t fix what they don’t know about. Early detection makes the difference between a contained incident and a full breach. Security teams would rather investigate a hundred false alarms than miss one real attack in progress.
Ask questions when something feels off. Trust your instincts. You know what normal looks like in your daily work. When something deviates from that pattern, speak up. There’s no such thing as a dumb security question. The person who asks “Is this email legitimate?” might be the one who prevents your organization’s breach.
Why This Matters for Behavioral Health
The data you protect carries special weight. Behavioral health records contain deeply personal information about diagnoses, medications, family dynamics, trauma history, and recovery journeys. This information, if exposed, can affect employment opportunities, insurance coverage, child custody decisions, and social relationships. Your vigilance protects people’s futures, not just their privacy.
The behavioral health sector faces unique challenges. Many providers are small organizations without big IT budgets or dedicated security staff. (ONC and SAMHSA, 2024) report that behavioral health providers have historically lagged in health IT adoption, with only 67% of psychiatric hospitals having adopted certified EHR systems compared to 86% of general acute care hospitals. But that doesn’t mean we’re helpless. Small consistent actions compound over time. When you verify a sender before clicking a link, you’re participating in organizational defense. When you report a suspicious email, you’re providing early warning that might prevent a breach. When you log out at the end of your shift, you’re closing a door that attackers can’t open.
Most attacks aren’t sophisticated. They rely on human mistakes, not advanced hacking techniques. Attackers send phishing emails because they work. They target organizations with weak passwords because those organizations are easy prey. When you stay alert and follow basic security practices, you eliminate the easy paths attackers depend on. This forces them to spend more time and resources, which often means they move on to softer targets.
You already know what to do. The challenge is making it part of your daily routine without adding stress to an already demanding job.
Xpio Health works with behavioral health teams to turn cybersecurity from an afterthought into a daily habit. We provide practical training, resources, and support designed for frontline staff who are focused on client care, not IT infrastructure. Contact Xpio Health to learn about training options that fit your schedule and your work environment.
#BehavioralHealth #CyberAwareness #FrontlineFocus #PeopleFirst #XpioHealth
References
- American Hospital Association. Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Field. AHA. 2024. https://www.aha.org/change-healthcare-cyberattack-underscores-urgent-need-strengthen-cyber-preparedness-individual-health-care-organizations-and
- U.S. Department of Health and Human Services. Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals. HHS. 2024.https://hhscyber.hhs.gov/performance-goals.html
- U.S. House Energy and Commerce Committee. What We Learned: Change Healthcare Cyber Attack. House Energy and Commerce. 2024. https://energycommerce.house.gov/posts/what-we-learned-change-healthcare-cyber-attack
- Cybersecurity and Infrastructure Security Agency. Healthcare and Public Health Cybersecurity. CISA. 2024. https://www.cisa.gov/topics/cybersecurity-best-practices/healthcare
- Larsen, M.E., Huckvale, K., Nicholas, J., et al. Cybersecurity: a critical priority for digital mental health. PLOS Digital Health. 2023. https://pmc.ncbi.nlm.nih.gov/articles/PMC10536959/
- Office of the National Coordinator for Health Information Technology and Substance Abuse and Mental Health Services Administration. ONC, SAMHSA Launch Initiative for Behavioral Health IT Interoperability. TechTarget. 2024. https://www.techtarget.com/searchhealthit/news/366577971/ONC-SAMHSA-Launch-Initiative-for-Behavioral-Health-IT-Interoperability
