Ransomware through weak identity hygiene: what IAM teams missed

TL;DR: Change Healthcare’s ransomware attack shows how compromised credentials without MFA can still bypass enterprise defenses, even in heavily regulated environments, according to Hydden. The case reinforces that identity hygiene, visibility, and control enforcement remain operationally difficult across hybrid estates, SaaS, and non-human identities.

NHIMG editorial — based on content published by Hydden covering the Change Healthcare ransomware attack: identity hygiene, missing MFA, and hybrid IAM visibility gaps

By the numbers:

• The Change Healthcare unit processes about 50% of all U.S. medical claims.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when MFA is not enforced on every remote access path?

A: When MFA is inconsistent, a stolen password can still function as a valid enterprise login, which gives attackers a low-friction entry point into critical systems.

Q: Why do hybrid identity environments increase ransomware risk?

A: Hybrid environments increase ransomware risk because identity data is fragmented across directories, SaaS, and on-premises systems, making it hard to prove control coverage.

Q: How do security teams know whether identity hygiene is actually improving?

A: They should measure control coverage, not just policy adoption.

Practitioner guidance

• Harden every remote access entry point Inventory all portals, VPNs, Citrix instances, and admin consoles that accept credentials and confirm MFA is enforced on each one, including legacy systems that sit outside modern SSO flows.
• Build a complete identity inventory Correlate human accounts, service accounts, groups, SaaS identities, and privileged accounts across cloud and on-premises directories so you can prove where access exists and where policy coverage is missing.
• Treat identity gaps as ransomware exposure Prioritise high-value systems that can be reached by a single credential compromise, then reduce standing access and remove broad trust relationships before an attacker can pivot.

What's in the full article

Hydden's full blog post covers the operational detail this post intentionally leaves for the source:

• The specific identity-security posture issues Hydden says make MFA enforcement difficult in large hybrid organisations.
• The visibility and enrichment workflow the vendor uses to inventory human and non-human identities across dispersed systems.
• The product framing around extracting and operationalising identity intelligence for security teams and MSSPs.
• The article's discussion of why legacy IAM tooling has not kept pace with the security role identity now plays.

👉 Read Hydden's analysis of identity hygiene failures in the Change Healthcare ransomware attack →

Ransomware through weak identity hygiene: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →