By NHI Mgmt Group Editorial TeamPublished 2026-03-09Domain: Governance & RiskSource: 1Kosmos

TL;DR: Healthcare breaches average $408 per stolen record and the sector saw 444 reported incidents in 2024, while Change Healthcare affected an estimated 190 million individuals after a Citrix portal without MFA was exposed, according to 1Kosmos and cited sources. Basic identity verification failures are now a patient-safety and operational-risk issue, not just a compliance gap.

At a glance

What this is: This is an analysis of how weak healthcare identity verification turns patient portals, telehealth, and prescription workflows into breach entry points, with Change Healthcare as the clearest example.

Why it matters: It matters because healthcare IAM teams must protect human identities at the front door while also stopping credential abuse that can lead to fraud, record tampering, and ransomware.

By the numbers:

  • In 2024, the healthcare sector experienced 444 reported incidents, according to the FBI's Internet Crime Report.
  • The largest breach in history occurred that same year when Change Healthcare suffered a ransomware attack affecting an estimated 190 million individuals.
  • Healthcare data breaches cost organizations an average of $408 per stolen record, according to IBM's Cost of a Data Breach Report.

👉 Read 1Kosmos's analysis of healthcare identity verification failures and breach risk

Context

Healthcare identity verification is the control layer that proves a patient, clinician, or administrator is really who they claim to be before access is granted. In this article, the core issue is that weak identity proofing and weak authentication let attackers move from login fraud into breach-scale compromise.

The article argues that healthcare programmes often treat identity verification as a user-experience problem when it is also a security and safety control. That mismatch matters because patient portals, telehealth, insurance checks, and prescription workflows all expand the attack surface when verification is thin.

The starting position described here is unfortunately typical, not exceptional: passwords, knowledge-based checks, and inconsistent MFA are still common in healthcare environments despite high-value data and recurring abuse patterns.

Key questions

Q: How should healthcare organisations prevent account takeover in patient portals?

A: Healthcare organisations should combine MFA, stronger identity proofing, and risk-based step-up checks instead of relying on passwords or knowledge-based questions. The priority is to protect the specific paths attackers use first, such as patient portals, recovery flows, and telehealth logins. Consistent control coverage matters more than perfect UX.

Q: Why do weak identity verification controls create such large healthcare breaches?

A: Weak verification creates large breaches because one accepted login can unlock many connected systems, including records, billing, and insurer workflows. In healthcare, the same identity session often reaches multiple high-value assets. That makes identity failure a force multiplier for fraud, tampering, and ransomware rather than a single-account problem.

Q: What do security teams get wrong about MFA in healthcare?

A: Teams often treat MFA as a box to tick on one or two systems, when the real risk is the uncovered path. If portals, recovery flows, admin consoles, or third-party access remain outside MFA, attackers will route around the control. MFA only works when it covers the full identity journey.

Q: Who is accountable when healthcare identity verification fails and patient data is exposed?

A: Accountability sits across IAM, privacy, security operations, and business owners of the affected workflow. If the failure enabled fraud, clinical risk, or ransomware, the organisation also needs incident coordination beyond access revocation. For healthcare, identity failure is a governance issue, not just an authentication defect.

Technical breakdown

Why healthcare identity verification fails at the edge of the record

Healthcare identity verification fails most often at the first trust decision, when a portal or workflow accepts a claimed identity without enough proof. In practice, that means passwords, knowledge-based questions, or weak recovery paths become the entry point for credential stuffing, account takeover, and impersonation. Because healthcare access points are distributed across patient portals, telehealth, payer workflows, and e-prescribing, one weak control can expose multiple downstream systems. The technical problem is not simply authentication failure. It is identity proofing that does not hold up when personal data is already widely available to attackers.

Practical implication: treat every front-door identity check as a high-risk trust decision and remove knowledge-based verification where stronger proofing is available.

How credential abuse moves from login to record access

Once stolen credentials are accepted, attackers do not need to break the rest of the environment immediately. They can enumerate accounts, target high-value records, and pivot into billing, clinical, or administrative systems that trust the same identity session. In healthcare, this often creates a chain from patient portal access to insurance fraud, record tampering, or ransomware deployment. The weakness is not just exposure of a password. It is the absence of layered controls such as MFA, device checks, transaction-level step-up, and anomaly detection that would interrupt abusive reuse of valid login data.

Practical implication: add step-up verification and behavioural detection where a valid login alone should never be enough to reach sensitive records.

Risk-based authentication and liveness checks in healthcare IAM

Risk-based authentication works by changing the verification challenge when the context changes, such as a new device, a new location, or a high-risk transaction. In healthcare, that is especially relevant for record changes, payment updates, and onboarding, where document verification and liveness detection can help distinguish a real person from a spoofed identity or synthetic fraud attempt. This approach is stronger than uniform friction because it preserves usability for low-risk access while increasing assurance when the transaction could affect care, privacy, or reimbursement. The key is consistency across channels, not isolated point solutions.

Practical implication: map high-risk healthcare actions to stronger authentication and proofing steps, not just to the initial login.

Threat narrative

Attacker objective: The attacker wants monetisable access to sensitive healthcare data, fraud opportunities, or operational disruption that increases pressure on the victim to pay or recover quickly.

  1. entry: attackers gain access through weak identity verification, often by reusing stolen credentials against patient or administrative portals.
  2. escalation: valid sessions are abused to reach medical records, billing systems, or insurer-facing workflows that trust the same identity.
  3. impact: the attacker steals personal data, alters records, submits fraudulent claims, or uses the access path to support ransomware operations.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Weak healthcare identity verification is an access governance failure before it is a breach problem. The article shows that attackers do not need exotic exploits when identity proofing is thin and MFA is absent. In healthcare, the trust decision happens at the portal, the telehealth session, and the prescription workflow, so identity verification has to be treated as a security boundary. Practitioners should stop framing this as a front-end convenience issue and treat it as the control that determines whether downstream patient data is even reachable.

Credential stuffing becomes a healthcare breach amplifier because one identity can unlock multiple clinical and business systems. The article’s underlying pattern is session reuse across portals, billing, and records, which means a single compromised login can spread far beyond the first application. That is why healthcare IAM cannot rely on password policy alone. The real lesson is that shared trust across connected systems creates identity blast radius, and once that radius is large, fraud and ransomware become easier to stage.

Identity proofing in healthcare needs to be transaction-aware, not just login-aware. Routine access, payment changes, and records edits are not the same trust event, yet many environments verify them with the same control set. The article points toward a named concept we call clinical access assurance gap: the mismatch between low-friction user journeys and high-risk medical data exposure. Practitioners should recognise that a weak step-up model leaves critical actions under-protected even when the initial login appears secure.

Healthcare breach response should be organised around patient impact, not only account containment. The article connects identity failure to fraud, tampering, and service disruption, which means the blast radius is operational as well as technical. That matters for incident governance because clinical workflows, insurance processes, and patient trust all degrade at once. The implication is that IAM teams must coordinate with privacy, clinical operations, and fraud teams as soon as identity compromise is suspected.

Modern healthcare identity controls have become a baseline expectation, not a maturity target. The article ties the Change Healthcare breach to the absence of MFA, which is now a clear marker of control failure in exposed access paths. When a sector repeatedly suffers credential abuse, the question is no longer whether identity controls are needed, but where they remain incomplete. Practitioners should use this as a prompt to audit every externally reachable healthcare identity path for proofing strength and recovery risk.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • For a broader governance lens, The 52 NHI Breaches Report shows how identity failure patterns translate into real breach paths across environments.

What this signals

Clinical access assurance gap: healthcare teams should think about identity controls as patient-safety infrastructure, not only cybersecurity tooling. When verification is weak at the front door, the consequences show up later as fraud, record integrity issues, and delayed care. That means IAM roadmaps need to include clinical workflow owners, not just security administrators.

The operational signal is clear: externally reachable healthcare systems should be audited for MFA coverage, recovery-path strength, and transaction-level verification. Organisations that only protect primary login screens will keep leaving the highest-risk paths exposed. The question is no longer whether the environment is digitised enough to be attacked, but whether every trust boundary is actually enforced.

Because healthcare often has more than one identity population, the programme needs to distinguish patient identity proofing from staff access governance and third-party access control. Those are related but not identical problems, and mixing them produces false confidence. A mature programme will map each identity type to its own assurance threshold and review cycle.

For practitioners

  • Remove weak identity proofing from patient-facing workflows Retire knowledge-based authentication where social-media and breach data make it easy to bypass. Replace it with stronger identity proofing for onboarding, recovery, and high-risk access paths such as portal enrolment and prescription fulfilment.
  • Require MFA on every externally reachable healthcare access path Apply MFA to portals, clinician remote access, telehealth admin interfaces, and insurer-facing workflows. Do not leave one Citrix, VPN, or recovery path outside the control set just because it is older or operationally sensitive.
  • Add step-up checks for record changes and payment updates Treat edits to demographics, billing details, diagnosis data, and insurance information as privileged transactions. Trigger additional verification when the action changes financial liability, clinical risk, or patient identity integrity.
  • Correlate authentication anomalies with fraud and care-impact signals Watch for repeated failed logins, unusual geolocation, rapid account switching, and access to multiple patient records in short bursts. Route those signals into fraud review and incident response so identity misuse is handled before patient care is affected.

Key takeaways

  • Healthcare identity verification failures turn routine access points into breach entry paths for fraud, tampering, and ransomware.
  • The scale is already material, with 444 healthcare incidents reported in 2024 and a single breach affecting an estimated 190 million people.
  • Teams that want to reduce exposure should prioritise MFA coverage, stronger proofing, and transaction-aware step-up controls across every patient-facing and administrative workflow.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Healthcare identity proofing governs who can establish or use an identity.
NIST SP 800-63Identity assurance and authentication strength are central to healthcare portal access.
NIST Zero Trust (SP 800-207)PR.AC-4Zero Trust requires continuous verification before access to clinical and business systems.

Map every patient and staff access path to identity proofing and enforce stronger checks on high-risk workflows.

Key terms

  • Identity proofing: Identity proofing is the process of establishing that a person is who they claim to be before access is granted. In healthcare, it matters because weak proofing can let attackers impersonate patients or staff, opening the door to fraud, record tampering, and unsafe clinical decisions.
  • Risk-based authentication: Risk-based authentication changes the verification requirement based on context such as device, location, behaviour, or transaction type. In healthcare, it helps keep routine access usable while forcing stronger checks when a user attempts a sensitive action that could affect patient data or payments.
  • Step-up authentication: Step-up authentication adds a stronger verification step when a session moves into a higher-risk action. In healthcare, that can mean requiring biometrics, document checks, or additional factors before changing insurance details, viewing restricted records, or completing other sensitive transactions.
  • Medical identity theft: Medical identity theft occurs when someone uses another person's identity to obtain care, submit claims, or access health information. It creates both financial harm and patient safety risk because the resulting records, billing, and treatment history can be corrupted or misattributed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: healthcare identity verification and the risk of breach-scale access failures. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org