TL;DR: Change Healthcare’s ransomware attack shows how compromised credentials without MFA can still bypass enterprise defenses, even in heavily regulated environments, according to Hydden. The case reinforces that identity hygiene, visibility, and control enforcement remain operationally difficult across hybrid estates, SaaS, and non-human identities.
NHIMG editorial — based on content published by Hydden covering the Change Healthcare ransomware attack: identity hygiene, missing MFA, and hybrid IAM visibility gaps
By the numbers:
- The Change Healthcare unit processes about 50% of all U.S. medical claims.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when MFA is not enforced on every remote access path?
A: When MFA is inconsistent, a stolen password can still function as a valid enterprise login, which gives attackers a low-friction entry point into critical systems.
Q: Why do hybrid identity environments increase ransomware risk?
A: Hybrid environments increase ransomware risk because identity data is fragmented across directories, SaaS, and on-premises systems, making it hard to prove control coverage.
Q: How do security teams know whether identity hygiene is actually improving?
A: They should measure control coverage, not just policy adoption.
Practitioner guidance
- Harden every remote access entry point Inventory all portals, VPNs, Citrix instances, and admin consoles that accept credentials and confirm MFA is enforced on each one, including legacy systems that sit outside modern SSO flows.
- Build a complete identity inventory Correlate human accounts, service accounts, groups, SaaS identities, and privileged accounts across cloud and on-premises directories so you can prove where access exists and where policy coverage is missing.
- Treat identity gaps as ransomware exposure Prioritise high-value systems that can be reached by a single credential compromise, then reduce standing access and remove broad trust relationships before an attacker can pivot.
What's in the full article
Hydden's full blog post covers the operational detail this post intentionally leaves for the source:
- The specific identity-security posture issues Hydden says make MFA enforcement difficult in large hybrid organisations.
- The visibility and enrichment workflow the vendor uses to inventory human and non-human identities across dispersed systems.
- The product framing around extracting and operationalising identity intelligence for security teams and MSSPs.
- The article's discussion of why legacy IAM tooling has not kept pace with the security role identity now plays.
👉 Read Hydden's analysis of identity hygiene failures in the Change Healthcare ransomware attack →
Ransomware through weak identity hygiene: what IAM teams missed?
Explore further
Identity hygiene failed where authentication assumptions were still built around trusted access paths: the article shows that compromised credentials without MFA remain enough to breach a major enterprise even when security budgets are large. That is not a tooling problem alone. It is a governance failure in which the organisation cannot guarantee the same control standard across every access path, and practitioners must treat that inconsistency as a systemic risk.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Who is accountable when a compromised credential leads to ransomware impact?
A: Accountability sits with the identity, infrastructure, and application owners who allowed a reachable system to remain outside consistent authentication standards. In regulated environments, governance teams also need to show that exceptions were documented, justified, and time-bounded.
👉 Read our full editorial: Identity hygiene failures still expose ransomware paths in hybrid IAM