Change Healthcare breach: what IAM teams missed beyond MFA

TL;DR: Change Healthcare was breached through a Citrix portal that lacked MFA, then suffered lateral movement, data theft, and ransomware disruption that cost UnitedHealth Group hundreds of millions of dollars, according to Unosecur and UnitedHealth disclosures. The failure shows that authentication controls alone do not stop identity-based intrusion when monitoring and containment are weak.

NHIMG editorial — based on content published by Unosecur covering the Change Healthcare cyberattack: lessons on MFA, detection, and ransomware containment

By the numbers:

• UnitedHealth disclosed $870 million in cyberattack-related costs in Q1 2024.
• Change Healthcare handles more than 15 billion medical transactions every year.
• The cyberattack affected 131 million patients and nearly 67,000 pharmacies.

Questions worth separating out

Q: What breaks when a remote access portal does not require MFA?

A: Password-only remote access turns stolen credentials into immediate session access, which means the attacker can enter through a normal user path and blend into routine activity.

Q: Why do compromised credentials create such a large breach risk in healthcare systems?

A: Healthcare platforms sit inside tightly linked operational chains, so one identity compromise can affect transactions, payment processing, pharmacy workflows, and patient services at once.

Q: How can security teams know whether MFA is actually reducing risk?

A: MFA is working only if it blocks password replay on every high-value access path and is paired with alerts that detect abnormal sessions after login.

Practitioner guidance

• Enforce MFA on every remote access path Remove password-only access from Citrix, VPN, admin portals, and any third-party remote entry point.
• Map identity blast radius for critical systems Identify which identities can reach payment, claims, pharmacy, and clinical transaction systems, then reduce unnecessary reach before an incident proves the dependency graph for you.
• Add identity-based detection for lateral movement Correlate login anomalies, unusual session paths, and abnormal data retrieval so security teams can interrupt movement before encryption and exfiltration become visible at the business layer.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• The incident timeline with specific dates for initial access, lateral movement, encryption, and ransom activity.
• The product screenshots showing how inactive MFA identities were identified inside the platform.
• The vendor's remediation framing for real-time detection of suspicious API activity and exfiltration attempts.
• The article's direct comparison between identity controls and ransomware containment outcomes in the healthcare setting.

👉 Read Unosecur's analysis of the Change Healthcare breach and MFA gaps →

Change Healthcare breach: what IAM teams missed beyond MFA?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →