Strategic redundancy is the lesson health care still hasn't learned

It has been two years since one of the largest health care cyber breaches in history, and most of the industry response has centered on cybersecurity. That focus makes sense given how the event started, but it does not fully explain why the disruption spread as far and as fast as it did. The bigger issue was how the system is structured.

At the time of the outage, many payers were routing claims, eligibility checks and payments through a single clearinghouse. When that pathway went down, providers did not have another workable way to submit transactions. Even clearinghouses that were fully operational could not step in if the payer required everything to move through one route.

What providers actually experienced

In the weeks that followed, providers tried to reroute claims and keep revenue moving. Many expected there would be another way for claims and payments to continue, but what they found was that those options were limited, untested or not available under payer requirements, often due to exclusive routing agreements they were not aware of. Claims slowed or stopped altogether, payments were delayed, and staff shifted to manual processes to keep operations running.

According to a survey by the American Medical Association, 80% of physicians reported lost revenue from unpaid claims, 55% used personal funds to cover expenses and 31% were unable to make payroll. The disruption threatened the viability of many practices, and some were at risk of closing. Physicians took on loans, used personal savings and continued providing care without guaranteed reimbursement, while in some cases, patients were asked to pay out of pocket or experienced reduced access to services.

A consistent theme across providers of all sizes was that redundancy existed in theory but did not hold up in practice. Before the outage, clearinghouses operated largely in the background, and redundancy was not something most organizations actively planned for. While some had secondary clearinghouse relationships, they were not typically in place to protect against a primary pathway failing. The disruption made it clear that relying on a single clearinghouse, especially within an exclusive arrangement, creates real risk and that having more than one connection needs to be a deliberate decision.

After the disruption, the industry attempted to move quickly to stabilize operations. Traffic was rerouted where possible, but not everyone could reroute. In many cases, payers were not fully back online for months, and in some instances, it took close to a year to fully restore operations. For those providers, there was no workable path to submit claims or receive payments during that time.

As operations stabilized and a sense of normalcy returned, the underlying structure did not change in a meaningful way. In many cases, organizations did not move away from single-path dependency. Instead, they shifted it. Payers that had been exclusive with one clearinghouse moved to another while keeping the same routing approach in place. Instead of using that moment to change strategies, the industry largely rebuilt the same structure and kept the same level of risk in place.

What we are seeing now

Two years later, the same patterns are starting to show up again.

Large clearinghouses continue to pursue exclusive relationships, and some payers are agreeing to route transactions through a single designated partner. For smaller payers, that approach can come down to cost and simplicity. For larger organizations, removing alternative pathways creates a different level of exposure. When there is only one route available, any disruption to that route directly affects providers who rely on it.

Why cybersecurity alone is not enough

Cybersecurity has become a much bigger focus since then and is now top of mind for industry leaders. At the same time, cyberattacks are becoming more frequent. Health sector cyberattacks rose from 476 in 2024 to 575 in 2025, a 21% increase. While the number of patient records breached declined after the 2024 spike, health care information remains vulnerable, and no organization can promise it will never experience a breach or an outage.

If a payer routes exclusively through one clearinghouse and that clearinghouse has an issue, providers are left without another path. The challenge is not only preventing disruption but also making sure providers can continue operating if a disruption happens again.

What strategic redundancy looks like

Strategic redundancy is a practical way to reduce this risk. For medium to large organizations, it means allowing payer connections to more than one clearinghouse, maintaining alternative pathways and making sure those pathways are actually usable when needed. Smaller organizations may not be able to take on that added expense, but in all cases, providers should feel empowered to ask questions about how payers are contracting with clearinghouses.

This is not about adding unnecessary complexity; it is about making sure there is more than one way to keep critical transactions moving and that those pathways are protected. Other industries treat this as a baseline requirement. They assume failures can happen and design systems that continue to operate when they do. Health care has not consistently taken that approach when it comes to transaction routing. And while some clearinghouses promote exclusivity with promises of minimal downtime, it’s clear that neither payers nor providers can rely on guarantees when it comes to disruption.

A structural issue that requires attention

Exclusive relationships can simplify operations and reduce costs in the short term. But as we’ve seen, they also limit flexibility in ways that are easy to miss until something goes wrong. Two years later, the takeaway remains clear. Redundancy only works when it is operational.

Rob Stuart is the founder and president of Claim.MD, a leading electronic data interchange clearinghouse that helps streamline the billing and collection process for providers, payers and software vendors.