Change Healthcare breach shows why MFA is not enough without identity detection

At a glance

What this is: This is an analysis of the Change Healthcare cyberattack, showing how compromised credentials, missing MFA, and weak detection enabled ransomware and exfiltration.

Why it matters: It matters because IAM, PAM, NHI, and security operations teams all need to see how one exposed access path can cascade into enterprise-wide identity and recovery failures.

By the numbers:

• UnitedHealth disclosed $870 million in cyberattack-related costs in Q1 2024.
• Change Healthcare handles more than 15 billion medical transactions every year.
• The cyberattack affected 131 million patients and nearly 67,000 pharmacies.

👉 Read Unosecur's analysis of the Change Healthcare breach and MFA gaps

Context

The central issue in this breach is straightforward: a remote access portal accepted stolen credentials without MFA, then the attacker used that entry point to move deeper into the environment. In identity terms, this is not just an authentication failure, it is a governance failure over privileged access paths, session trust, and monitoring.

For IAM and security teams, the Change Healthcare incident is a reminder that remote access is only as safe as the controls around the identity, the session, and the downstream actions that follow. MFA reduces the odds of simple credential abuse, but it does not by itself contain lateral movement or stop encrypted and exfiltrated data once an attacker is inside.

Key questions

Q: What breaks when a remote access portal does not require MFA?

A: Password-only remote access turns stolen credentials into immediate session access, which means the attacker can enter through a normal user path and blend into routine activity. In a high-value environment, that single failure can become lateral movement, data theft, and ransomware if detection and containment are not already tuned to identity behaviour.

Q: Why do compromised credentials create such a large breach risk in healthcare systems?

A: Healthcare platforms sit inside tightly linked operational chains, so one identity compromise can affect transactions, payment processing, pharmacy workflows, and patient services at once. The risk is not only data exposure. It is also business interruption, recovery cost, and a much larger blast radius than the original login event suggested.

Q: How can security teams know whether MFA is actually reducing risk?

A: MFA is working only if it blocks password replay on every high-value access path and is paired with alerts that detect abnormal sessions after login. If attackers can still move laterally or trigger exfiltration soon after authentication, the control is helping at entry but failing at containment.

Q: Who is accountable when a compromised identity leads to ransomware and exfiltration?

A: Accountability usually spans IAM, security operations, infrastructure, and business owners of the affected service. The practical test is whether each team owns a specific step in prevention, detection, or containment. If nobody owns the remote access path, the recovery path, and the response decision, the breach will outpace governance.

Technical breakdown

Initial access through a Citrix portal without MFA

The breach began when attackers used compromised credentials against a Citrix remote access portal that did not require multi-factor authentication. MFA is designed to reduce the value of stolen passwords, but when it is absent, credential replay becomes enough to open a trusted session. In practice, this is a classic identity entry failure: the system treated possession of a password as sufficient proof of legitimacy. Once that happens, the attacker inherits the same access path a legitimate user would use, which makes the session hard to distinguish from normal activity.

Practical implication: enforce MFA on all remote access paths and remove any portal that still trusts password-only authentication.

Lateral movement after identity compromise

After initial access, the attacker reportedly moved laterally for days before the final ransomware phase. Lateral movement is what happens when one compromised identity or session is used to discover adjacent systems, elevate reach, and pivot into higher-value assets. This stage often succeeds because internal access is too broad, segmentation is weak, and abnormal identity behavior is not being correlated in real time. In healthcare environments, that combination is especially dangerous because operational continuity pressures can delay containment until the attacker has already expanded access.

Practical implication: pair identity telemetry with network segmentation and alerting that can spot abnormal movement patterns early.

Exfiltration and ransomware impact in a high-dependency environment

The final phase combined data theft with encryption, which is a common double-extortion pattern. In a high-dependency healthcare clearinghouse, the impact is not limited to file loss. It affects payment workflows, provider operations, pharmacy transactions, and patient services at scale. That makes identity compromise an enterprise availability issue, not just a confidentiality issue. When attackers can both exfiltrate and disrupt a core transaction layer, the recovery burden includes legal exposure, business interruption, and prolonged restoration work across multiple linked systems.

Practical implication: treat identity compromise of transaction platforms as a business resilience issue and rehearse containment before encryption or exfiltration completes.

Threat narrative

Attacker objective: The attacker aimed to steal sensitive healthcare data and extort the organisation by disabling critical transaction systems.

1. Entry occurred through a Citrix remote access portal that accepted compromised credentials without MFA, giving the attacker a trusted starting session.
2. Escalation followed as the attacker used that foothold for lateral movement across the environment over several days, expanding access before containment.
3. Impact came through data exfiltration and ransomware encryption that disrupted healthcare transactions and forced costly recovery efforts.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Missing MFA on a remote access portal is not the whole failure. The deeper failure is that the organisation treated password possession as a sufficient trust signal for a high-value identity path. That assumption is tolerable only when credential theft is rare and contained, which is no longer true. The implication for practitioners is that remote access trust must be designed around stolen-credential inevitability, not password strength alone.

Change Healthcare exposes the identity blast radius problem. One compromised login path reached a transaction platform that sits inside a dense healthcare dependency chain, so the breach became a payment and continuity event, not just a security event. In NIST CSF terms, this is a Protect-and-Detect gap that turned into a Recover problem. Practitioners should read this as proof that identity controls on critical paths have systemwide consequences.

Identity threat detection and response should be treated as a control layer, not a dashboard. The meaningful question is whether the programme can spot suspicious identity behaviour early enough to stop lateral movement before encryption or exfiltration completes. That is especially important in environments where remote access, third-party connectivity, and business uptime pressures all work against rapid containment. Security teams need response paths that can act on identity signals in real time.

Ransomware succeeded because the breach combined access abuse, movement, and extortion into one continuous identity failure. MFA alone addresses only the first step. What failed here was the chain of assumptions that a legitimate session would remain legitimate, remain narrow, and remain observable long enough to contain. The practitioner conclusion is that identity governance must be tied to runtime monitoring and blast-radius control, not authentication alone.

Identity blast radius: This breach shows how one compromised remote access identity can cascade into transaction disruption across a national healthcare dependency network. The name is useful because it captures the real failure mode. Practitioners should assess which access paths would create the same kind of cross-functional damage if stolen today.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which leaves most machine identity risk outside direct governance, according to the Ultimate Guide to NHIs.
• That visibility gap is why teams should also review the NHI Lifecycle Management Guide before assuming access reviews and offboarding are working as designed.

What this signals

Identity blast radius: healthcare teams should now treat remote access, claims processing, and transaction clearance as one governance surface, not separate operational domains. When a single login path can disrupt a clearinghouse, the access model itself is part of business resilience.

The practical signal for IAM leaders is that MFA cannot be measured only by enrolment rates. It must be measured by whether it suppresses credential replay, narrows session privilege, and slows an attacker enough for detection to trigger before lateral movement expands the incident.

Teams that already use the NIST Cybersecurity Framework 2.0 should map identity telemetry to Protect, Detect, and Recover in the same control chain. That alignment matters because breach containment depends on seeing identity abuse early enough to isolate the affected path.

For practitioners

• Enforce MFA on every remote access path Remove password-only access from Citrix, VPN, admin portals, and any third-party remote entry point. Where a portal cannot support MFA, retire it or place it behind a stronger federated access layer.
• Map identity blast radius for critical systems Identify which identities can reach payment, claims, pharmacy, and clinical transaction systems, then reduce unnecessary reach before an incident proves the dependency graph for you.
• Add identity-based detection for lateral movement Correlate login anomalies, unusual session paths, and abnormal data retrieval so security teams can interrupt movement before encryption and exfiltration become visible at the business layer.
• Test containment against double-extortion scenarios Run exercises that assume compromised credentials, lateral movement, exfiltration, and ransomware encryption all happen in one chain, then validate who can isolate access and when.

Key takeaways

• This breach shows that password-only remote access is enough to open a large operational attack surface when identity controls are weak.
• The impact was material, with reported costs in the hundreds of millions and disruption across a healthcare dependency chain.
• Practitioners should focus on MFA, identity telemetry, and containment for critical access paths rather than treating authentication as the end state.

Key terms

• Identity blast radius: The identity blast radius is the amount of operational damage a compromised account, token, or session can cause before containment succeeds. It is the practical measure of how far access can spread through systems, workflows, and dependencies once trust has been abused.
• Lateral movement: Lateral movement is the process of using one foothold to reach additional systems, accounts, or data after the initial entry point. In identity-heavy environments, it often succeeds when internal trust is broad and abnormal session behaviour is not detected quickly enough.
• Identity threat detection and response: Identity threat detection and response is the monitoring and response layer that looks for suspicious authentication, session, and access behaviour. It combines identity signals with containment actions so teams can interrupt abuse before it becomes exfiltration, encryption, or business disruption.
• Multi-factor authentication: Multi-factor authentication is an authentication method that requires more than one proof of identity before access is granted. In practice, it reduces the value of stolen passwords, but it does not by itself stop post-login abuse, lateral movement, or mis-scoped internal trust.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• The incident timeline with specific dates for initial access, lateral movement, encryption, and ransom activity.
• The product screenshots showing how inactive MFA identities were identified inside the platform.
• The vendor's remediation framing for real-time detection of suspicious API activity and exfiltration attempts.
• The article's direct comparison between identity controls and ransomware containment outcomes in the healthcare setting.

👉 Unosecur's full post covers the incident timeline, detection logic, and containment discussion in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.