Notifications
Clear all
Topic starter
06/06/2026 2:03 am
TL;DR: Change Healthcare was breached through compromised credentials to a Citrix remote access portal without MFA, followed by lateral movement, data exfiltration, and a $22 million ransom payment, according to Oasis Security and UnitedHealth Group. The incident shows why MFA is necessary for human access but insufficient when identity governance does not extend to non-human identities and remote access pathways.
NHIMG editorial — based on content published by Oasis Security: The Future of Identity Security: Lessons from the Change Health Breach
By the numbers:
- Change Healthcare paid a $22 million ransom after the breach.
- Non-human identities outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: What fails when a remote access portal allows single-factor logins?
A: A single-factor remote access portal turns stolen credentials into a direct entry path, which lets attackers operate as trusted users once inside.
Q: Why do MFA controls still leave organisations exposed to ransomware?
A: MFA reduces the risk of initial login compromise, but it does not control what happens after a session begins.
Q: What do security teams get wrong about remote access trust?
A: Teams often assume that authenticated remote access is equivalent to trusted internal access.
Practitioner guidance
- Enforce MFA on every remote access portal Audit all externally reachable portals, VPNs, and remote desktop access points and remove any path that still accepts single-factor authentication.
- Map the post-authentication attack surface Document what a compromised remote login can reach after authentication, including admin consoles, file shares, service interfaces, and privileged workflows.
- Separate remote access trust from internal privilege Do not let successful portal authentication imply broad internal trust.
What's in the full analysis
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The exact breach timeline from initial portal access through the nine-day delay before ransomware deployment
- The article's explanation of why MFA is necessary for human identities but insufficient on its own for the wider identity fabric
- Oasis Security's own framing of how automated secret rotation and lifecycle management fit into NHI defence
- The specific customer-facing context the vendor uses to connect remote access compromise to healthcare disruption
👉 Read Oasis Security's analysis of the Change Healthcare breach and identity security lessons →
Change Healthcare breach: what it means for IAM and NHI governance?
Explore further
06/06/2026 3:30 am
MFA at the edge is not an identity security programme. The Change Healthcare breach shows that a single authentication control can reduce risk at the door while leaving the rest of the access chain exposed. Once attackers pass through a trusted portal, the programme still has to govern privilege boundaries, credential reuse, and movement between systems. Practitioners should treat MFA as one control in a broader identity fabric, not as a substitute for governance.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which helps explain why compromised access persists after initial detection.
A question worth separating out:
Q: Who is accountable when compromised credentials are used to trigger ransomware?
A: Accountability usually spans identity, infrastructure, and security operations because the failure chain includes authentication design, network trust boundaries, and detection gaps. Frameworks such as NIST CSF and Zero Trust Architecture place responsibility on governance that limits blast radius, not only on the team that owns the portal.
👉 Read our full editorial: Change Healthcare breach exposes the limits of MFA-only identity security
