Change Healthcare Data Breach - Impact on Pros

In February 2024, a data breach at Change Healthcare sent shockwaves through the healthcare industry, exposing millions of Americans' sensitive personal and health data. Including my 9-year-old son!

The attackers infiltrated the system, compromised six terabytes of information, and triggered nationwide operational disruptions.

For Tax Professionals, including CPAs and EAs, this breach is more than a headline—it’s a stark reminder that no business handling sensitive client data is safe from cyber threats.

The hackers exploited a vulnerability by breaching a server that lacked basic security features, such as multi-factor authentication (MFA). They gained unauthorized access to systems and moved laterally across the network. This breach led to prolonged outages in billing systems, and the fallout continues to affect millions.

The incident raises critical questions:

How prepared is your tax firm for such an attack?

What steps are you taking to protect your clients’ data from becoming the next target?

Why Tax Firms Are Increasingly Vulnerable to Cyberattacks

As tax professionals, you handle a treasure trove of sensitive information, from Social Security numbers to bank account details and tax filings. Cybercriminals know this. Tax firms have become prime targets for data breaches with the increasing reliance on digital platforms for tax preparation and filing. In the case of Change Healthcare, the attackers used stolen credentials to infiltrate the network and deploy ransomware. Similar tactics could be used against your firm if you don't take proactive steps.

What Went Wrong in the Change Healthcare Breach? Critical Lessons for CPAs and Tax Firms

Here are some critical vulnerabilities exploited in the Change Healthcare breach that you can safeguard against:

1. Failure to Implement Multi-Factor Authentication (MFA): Attackers gained access using compromised credentials that lacked MFA, an essential yet effective security measure. Ensure your firm enforces MFA on all systems that store or transmit sensitive data. WISPBuilder can guide you in setting up such protocols as part of your security plan.
2. Weak Network Segmentation: Once inside, the hackers moved laterally across Change Healthcare’s systems, accessing various databases. Proper network segmentation could have confined the breach to one network section, limiting the damage. WISPBuilder helps you develop security plans that ensure sensitive client data is siloed and protected from unauthorized access.
3. Outdated Software and Systems: The hackers exploited outdated software lacking critical security patches. Regular software updates and security audits are essential to mitigate these risks. WISPBuilder includes tools to schedule and manage regular software updates, ensuring vulnerabilities are addressed before exploitation.
4. Lack of a Comprehensive Incident Response Plan: The breach exposed the absence of a robust incident response plan. Months after the attack, healthcare providers still dealt with backlogs of unpaid claims and disrupted operations. A WISP, as facilitated by WISPBuilder, outlines your firm’s response procedures to minimize downtime and loss in the event of a breach.
5. Inadequate Vendor Oversight: The breach likely stemmed from a third-party vulnerability, underscoring the importance of vendor management and thorough vetting of the third parties that have access to your systems. WISPBuilder offers tools to assess vendor security and ensures that your business partners meet strict data protection standards.

Steps Your Tax Firm Should Take Now

With tax season approaching, your firm cannot afford to be complacent. The IRS and other regulatory bodies increasingly scrutinize how tax preparers handle sensitive information. The Change Healthcare breach is a reminder that even large organizations can falter when they fail to prioritize cybersecurity. Here’s how WISPBuilder.com can help you avoid such vulnerabilities:

1. Develop a Comprehensive Written Information Security Plan (WISP): WISPBuilder guides you through creating a tailored security plan that includes access controls, encryption, MFA, and monitoring systems. It’s designed to ensure your firm complies with FTC and IRS guidelines, including the Safeguards Rule and IRS Publication 4557.
2. Strengthen Access Controls: Enforce strict access controls and implement MFA across all systems to prevent unauthorized access to sensitive client data. WISPBuilder provides the framework for managing user roles and permissions.
3. Regular Audits and Penetration Testing: Routine security audits and penetration testing can help you identify and address weaknesses before they’re exploited. WISPBuilder enables you to manage these assessments and ensures that your systems are always up to date.
4. Employee Training and Awareness: As with Change Healthcare, the human element remains a weak link. Regular cybersecurity training ensures your staff can spot phishing attacks and avoid inadvertently opening the door to cybercriminals. WISPBuilder offers resources for staff training to raise awareness about the importance of cybersecurity.

WISPBuilder – Securing Your Firm and Building Client Trust

At Tangible Values, we understand the stakes are high for tax professionals. We offer WISPBuilder.com, the leading system for creating and managing Written Information Security Plans (WISPs). These plans are not just a regulatory requirement; they are your first line of defense against cyber threats like the one that crippled Change Healthcare.

At Tangible Values, we help tax firms secure their most valuable asset—client trust. With WISPBuilder.com, your firm can build a proactive defense against data breaches, ensuring that sensitive client data is protected and regulatory requirements are met.

The Change Healthcare breach, with its multimillion-dollar fallout and widespread disruption, offers a painful lesson in what happens when businesses neglect basic security practices. Don’t wait for a violation to occur. Act now by leveraging WISPBuilder to protect your firm, clients, and reputation.

If you want more information on how Tangible Values can help your firm, visit WISPBuilder.com.

I would like to remind you that you can use an image of the actual Change Healthcare data breach notification letter to emphasize the real-world impact of cybersecurity breaches and how easily they can happen without proper defenses.

The Bottom Line: You don’t want to find yourself in the same position as Change Healthcare—dealing with the aftermath of a massive data breach. Secure your firm today with WISPBuilder and sleep better knowing your clients’ sensitive data is safe.

#IRS #Cybersecurity #CPA #EA #TaxPros #WISP