TL;DR: Change Healthcare’s ransomware attack shows how compromised credentials without MFA can still bypass enterprise defenses, even in heavily regulated environments, according to Hydden. The case reinforces that identity hygiene, visibility, and control enforcement remain operationally difficult across hybrid estates, SaaS, and non-human identities.
At a glance
What this is: This is a Hydden analysis of how weak identity hygiene and missing MFA enabled a ransomware intrusion with broad operational and data impact.
Why it matters: It matters because IAM teams still have to govern human and non-human access consistently across hybrid estates, where gaps in visibility and MFA enforcement can turn basic identity failures into enterprise-wide incidents.
By the numbers:
- The Change Healthcare unit processes about 50% of all U.S. medical claims.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Hydden's analysis of identity hygiene failures in the Change Healthcare ransomware attack
Context
Identity hygiene is the collection of controls that keep accounts, credentials, and access paths aligned with actual business need. In hybrid environments, that becomes hard quickly because authentication sprawl, legacy systems, and dispersed admin ownership make it difficult to enforce MFA consistently across every account and every system.
This case sits at the intersection of ransomware and identity governance. The core issue is not that MFA exists in theory, but that regulated enterprises still struggle to guarantee it on all paths into key systems, especially where human access, third-party access, and service-account sprawl overlap.
The article also underscores a broader operational problem: visibility alone does not reduce risk unless teams can enrich and operationalise identity data across cloud, on-premises, SaaS, and non-human identity estates. That starting point is typical of large enterprises, not an exception.
Key questions
Q: What breaks when MFA is not enforced on every remote access path?
A: When MFA is inconsistent, a stolen password can still function as a valid enterprise login, which gives attackers a low-friction entry point into critical systems. That failure is especially dangerous in legacy portals and hybrid environments, where exceptions often persist longest and are hardest to audit.
Q: Why do hybrid identity environments increase ransomware risk?
A: Hybrid environments increase ransomware risk because identity data is fragmented across directories, SaaS, and on-premises systems, making it hard to prove control coverage. If teams cannot see every account and access path, they cannot reliably enforce MFA, privilege limits, or access reviews across the full estate.
Q: How do security teams know whether identity hygiene is actually improving?
A: They should measure control coverage, not just policy adoption. Useful signals include MFA enforcement across all externally reachable accounts, completeness of identity inventory, and the percentage of privileged and non-human accounts that are continuously reviewed and remediated.
Q: Who is accountable when a compromised credential leads to ransomware impact?
A: Accountability sits with the identity, infrastructure, and application owners who allowed a reachable system to remain outside consistent authentication standards. In regulated environments, governance teams also need to show that exceptions were documented, justified, and time-bounded.
Technical breakdown
How compromised credentials become a ransomware entry point
Credential theft remains one of the cleanest paths into enterprise environments because authentication still acts as the front door for many critical systems. When login credentials are valid but lack MFA, attackers do not need to exploit software flaws first. They can authenticate directly, access portals, and then look for additional trust relationships, exposed data stores, and administrative paths that expand the blast radius.
Practical implication: enforce MFA on every externally reachable and high-value authentication path, including legacy portals that sit outside modern identity standards.
Why hybrid identity sprawl weakens control enforcement
Hybrid estates create control gaps when identity data is split across Active Directory, cloud directories, SaaS applications, and operational systems. In that environment, the problem is not a single broken policy but inconsistent enforcement and incomplete inventory. If teams cannot discover and correlate all identities, they cannot prove whether MFA, access reviews, or privilege boundaries are actually applied everywhere they matter.
Practical implication: centralise identity visibility and correlation before relying on policy attestation or risk reporting.
How ransomware impact expands through identity and data access
Once attackers gain authenticated access, the next stage is usually data discovery and exfiltration rather than immediate encryption alone. In regulated sectors, that means PHI, claims data, and administrative records can be exposed before the organisation even detects the intrusion. Identity controls matter here because they determine how far a valid session can travel and how much data can be reached from a single compromised credential.
Practical implication: map high-value applications, data sets, and admin portals to the identities that can reach them, then narrow access paths before an incident forces that review.
Threat narrative
Attacker objective: The attackers aimed to convert a valid identity foothold into data theft and operational disruption at enterprise scale.
- entry: BlackCat accessed a Change Healthcare Citrix portal by using compromised login credentials that did not have MFA protection.
- escalation: The attackers used that authenticated foothold to move from simple portal access toward broader corporate access and sensitive data discovery.
- impact: The intrusion led to exfiltration of corporate data, including PHI, and affected an organisation that processes about half of all U.S. medical claims.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity hygiene failed where authentication assumptions were still built around trusted access paths: the article shows that compromised credentials without MFA remain enough to breach a major enterprise even when security budgets are large. That is not a tooling problem alone. It is a governance failure in which the organisation cannot guarantee the same control standard across every access path, and practitioners must treat that inconsistency as a systemic risk.
Identity visibility gap: the most damaging weakness in hybrid enterprises is often not the absence of controls but the inability to see where they are missing. When identities span cloud, on-premises systems, SaaS, and non-human accounts, teams lose the ability to prove coverage, which means policy design and enforcement drift apart. The implication is that IAM programmes must be judged by completeness of visibility, not by policy intent alone.
Ransomware now exploits identity infrastructure before it exploits endpoints: in mature organisations, attackers increasingly use valid access rather than malware first, which makes identity the initial control plane of the incident. This matters for the broader market because IAM, PAM, and NHI governance are no longer support functions. They are breach prevention layers, and practitioners should expect identity controls to be measured as core security controls, not administrative overhead.
Phishing-resistant authentication is constrained less by technical feasibility than by operational tolerance: the article notes that leaders hesitate to shift all authentication because of cost, complexity, and failure risk. That hesitation is real, but it also leaves a durable gap between policy aspiration and operational reality. The implication for practitioners is that migration programmes must account for rollback risk, legacy dependencies, and user impact, not just target architecture.
Identity security is becoming a cyber defence discipline, not an IAM maintenance task: the article reflects the market shift where teams must extract, enrich, and operationalise identity intelligence across all account types. That includes human identities, service accounts, groups, and emerging AI-related identities. Practitioners should interpret this as a mandate to manage identity posture with the same urgency as endpoint or vulnerability management.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- That remediation gap is one reason practitioners should also review 52 NHI Breaches Analysis for patterns in how identity failures become operational incidents.
What this signals
Identity visibility is now a breach-prevention requirement, not an audit convenience: if a programme cannot map every reachable identity and account, it cannot reliably enforce MFA or prove exception coverage. That pushes IAM teams toward continuous discovery and correlation across cloud, SaaS, and legacy estates, with Ultimate Guide to NHIs providing a useful baseline for scope.
Standing access is the real exposure multiplier: once a credential is compromised, the size of the reachable blast radius depends on how much access remains permanently available. NHI programmes that still tolerate long-lived secrets, broad group membership, and stale admin entitlements will keep turning basic identity failures into incident-scale events.
90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs. That statistic matters here because zero trust fails if identity governance remains uneven across human and non-human access paths. The practical signal is whether teams can actually remove exceptions, not whether they can describe the policy.
For practitioners
- Harden every remote access entry point Inventory all portals, VPNs, Citrix instances, and admin consoles that accept credentials and confirm MFA is enforced on each one, including legacy systems that sit outside modern SSO flows.
- Build a complete identity inventory Correlate human accounts, service accounts, groups, SaaS identities, and privileged accounts across cloud and on-premises directories so you can prove where access exists and where policy coverage is missing.
- Treat identity gaps as ransomware exposure Prioritise high-value systems that can be reached by a single credential compromise, then reduce standing access and remove broad trust relationships before an attacker can pivot.
Key takeaways
- Ransomware still enters through identity failures when credentials are valid, reachable, and not protected by MFA.
- Hybrid environments make identity governance harder because visibility, enforcement, and remediation are fragmented across systems.
- The control that changes the outcome is not just better detection, but consistent authentication coverage and reduced standing access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | MFA gaps show weak authentication enforcement on reachable systems. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust requires continuous verification, not optional MFA coverage. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity hygiene failures mirror weak lifecycle and access control for non-human identities. |
Inventory and restrict all high-risk identities, then remove standing access and stale credentials.
Key terms
- Identity hygiene: Identity hygiene is the ongoing discipline of keeping accounts, credentials, and access paths aligned with current business need. It covers MFA coverage, stale account removal, privilege minimisation, and exception management across human and non-human identities.
- Hybrid identity environment: A hybrid identity environment spans on-premises directories, cloud identity platforms, SaaS applications, and connected operational systems. The challenge is not just scale but inconsistent policy enforcement, fragmented ownership, and limited visibility across different control planes.
- Standing access: Standing access is permission that remains available until someone explicitly removes it, rather than being granted only when needed. It increases breach impact because a compromised credential can be used immediately, without waiting for approval, review, or expiry.
- Identity blast radius: Identity blast radius is the amount of systems, data, and administrative capability reachable through a compromised account or credential. It is shaped by privilege scope, trust relationships, and how consistently access is constrained across the environment.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Hydden covering the Change Healthcare ransomware attack: identity hygiene, missing MFA, and hybrid IAM visibility gaps. Read the original.
Published by the NHIMG editorial team on 2026-02-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
