Change Healthcare Breach: The Cost of Missing MFA

Learn how a single stolen password without MFA protection led to the largest healthcare data breach in US history.

A single stolen password. No multi-factor authentication. 190 million Americans affected. Attackers moved through the network for nine days before deploying ransomware.

Change Healthcare processes 15 billion healthcare transactions annually. One in three US patient records touches their systems. When attackers breached this central hub, the impact rippled nationwide.

This case study examines how stolen credentials enabled the attack and why the ransom payment failed. The final victim count reached 190 million in January 2025.

For security teams, this breach offers critical lessons about authentication and the futility of ransomware payments.

What Happened in the Change Healthcare Breach?

On February 21, 2024, Change Healthcare detected ransomware deployed across their systems. Investigation revealed attackers had been inside the network since February 12. They used those nine days to exfiltrate approximately 4 TB of data before triggering the encryption.

Change Healthcare is a subsidiary of UnitedHealth Group. The company processes healthcare transactions including claims and payments. They also handle prior authorizations.

When Change Healthcare went offline, the impact cascaded across the healthcare industry. Pharmacies could not process prescriptions. Hospitals could not verify insurance. Providers could not submit claims or receive payments.

How Did Attackers Breach Change Healthcare?

The attack vector was remarkably simple. Attackers obtained stolen credentials for a low-level customer support employee. They used these credentials to access a Citrix remote access portal. The portal lacked multi-factor authentication.

How Did Stolen Employee Credentials Enable the Attack?

According to court filings in the Nebraska lawsuit, attackers used the “stolen username and password of a low-level customer support employee.” The credential source was not publicly disclosed, but stolen credentials typically come from two sources.

First, infostealer malware infections capture credentials from employee devices. These logs circulate on criminal marketplaces and Telegram channels. Second, credentials from previous third-party data breaches get compiled into combo lists that attackers purchase.

Dark web monitoring would have detected the exposed credentials before attackers exploited them. The password may have been available on criminal marketplaces for weeks or months before the attack.

Why Was Missing Multi-Factor Authentication Critical?

UnitedHealth CEO Andrew Witty testified to Congress that attackers accessed the network through a Citrix portal protected only by a password. No multi-factor authentication was required.

This configuration meant anyone with the stolen credentials could access the portal. No additional verification. No second factor. No alert that an unusual device was accessing the system.

Witty admitted this was the failure point. The CEO testified that the company had not yet implemented MFA on this legacy system. The portal had been acquired through a previous acquisition and not fully integrated into UnitedHealth’s security controls.

How Did Attackers Move Laterally for Nine Days Undetected?

From February 12 to February 21, attackers moved through the network without triggering detection. They escalated privileges and identified valuable data stores. By the time ransomware deployed, they had exfiltrated 4 TB of sensitive information.

Network segmentation failures allowed this lateral movement. Attackers accessed systems far beyond what a customer support account should reach. Proper segmentation would have limited the blast radius of the initial compromise.

Who Was Behind the Change Healthcare Attack?

ALPHV/BlackCat, a ransomware-as-a-service operation, claimed responsibility for the attack on February 29, 2024. The group has ties to Russian-speaking criminal organizations.

ALPHV operated an affiliate model. The group provided ransomware tools and infrastructure. Affiliates conducted the actual attacks and shared profits with ALPHV leadership.

This affiliate model became significant in the aftermath. The affiliate who conducted the Change Healthcare attack would later be betrayed by ALPHV leadership.

What Happened After UnitedHealth Paid the Ransom?

The ransom payment story illustrates why security teams should never count on payments to resolve ransomware incidents.

How Much Did UnitedHealth Pay?

Blockchain analysis confirmed UnitedHealth paid approximately $22 million in Bitcoin on March 3, 2024. The payment went to wallets associated with ALPHV/BlackCat.

The company expected to receive decryption keys and confirmation that stolen data would be deleted. Ransomware groups typically promise both in exchange for payment.

What Was the Exit Scam?

Two days after receiving the ransom, ALPHV leadership executed an exit scam. They stole the $22 million from their own affiliate who conducted the attack. Then they shut down their operation.

The affiliate never received their share of the ransom. More importantly, they retained a copy of all stolen data. ALPHV’s promises about data deletion became meaningless when the gang ceased operations.

How Did RansomHub Re-Extort the Victims?

The unpaid affiliate took the stolen Change Healthcare data to RansomHub, another ransomware group. In April 2024, RansomHub demanded a second ransom.

Patient data began appearing on dark web leak sites despite the $22 million payment. UnitedHealth faced the exact outcome the ransom was supposed to prevent.

Paying one group doesn’t stop others from demanding more. Affiliates retain data copies. Data surfaces on multiple platforms regardless of payment.

How Many People Were Affected?

In January 2025, UnitedHealth confirmed the final count: 190 million Americans affected. This represents over half the US population.

Initial estimates in spring 2024 suggested tens of millions affected. By October 2024, UnitedHealth confirmed over 100 million. The count continued climbing as forensic analysis progressed.

The data compromised included:

• Names and addresses
• Phone numbers and email addresses
• Dates of birth and Social Security numbers
• Health insurance information including member IDs
• Medical records including diagnoses and treatments
• Test results and provider information

For victims, this represents a complete healthcare identity. The combination of financial data and medical history enables targeted fraud and identity theft.

What Did the Change Healthcare Breach Cost?

The financial impact extended across multiple categories. Direct costs to UnitedHealth exceeded $2.9 billion. Industry-wide impacts affected virtually every healthcare provider in the country.

What Were the Direct Response Costs?

UnitedHealth reported total response costs exceeding $2.9 billion through earnings reports. This included incident response and system rebuilding. Credit monitoring for victims and business disruption added billions more.

The $22 million ransom payment became one of the smallest costs. The failed payment represented less than 1% of total breach expenses.

How Did the Breach Impact Healthcare Providers?

American Hospital Association surveys from March 2024 found that 94% of hospitals reported financial impact from the breach. 74% reported direct patient care impacts. 77% of clinicians experienced service disruptions.

The American Medical Association survey revealed that 55% of medical practice owners used personal funds to cover payroll during the outage. Providers could not submit claims or receive payments while Change Healthcare systems remained offline.

UnitedHealth advanced over $9 billion to healthcare providers facing cash flow crises. These advances helped keep providers operational during the weeks of system outage.

What Regulatory and Legal Consequences Followed?

The Nebraska Attorney General filed the first state enforcement action. Federal lawsuits consolidated into multi-district litigation with over 49 cases combined.

Congressional hearings examined the breach in May 2024. CEO Andrew Witty testified about the missing MFA and acknowledged the company’s security failures.

HIPAA investigations continue. The breach represents the largest healthcare data compromise subject to federal health privacy regulations.

How Did Change Healthcare Respond?

Change Healthcare took systems offline immediately upon detecting the ransomware on February 21, 2024. The shutdown prevented further encryption but also halted healthcare transactions nationwide.

The company made the ransom payment decision on March 3, 2024. This decision received criticism given the unreliability of ransomware payments. The exit scam proved them right.

UnitedHealth advanced over $9 billion to healthcare providers who couldn’t receive payments during the outage.

Victim notification began in June 2024 and continued through the end of the year. Sorting through 4 TB of stolen files to identify victims took months.

What Can Security Teams Learn from Change Healthcare?

The breach offers concrete lessons if you manage sensitive data through third-party processors.

Why Must You Enable MFA on All Remote Access?

The Citrix portal lacking MFA became the entry point for attackers. CEO testimony confirmed this was the critical failure. Any remote access portal represents a potential attack vector.

Enable MFA on every Citrix deployment and VPN connection. No exceptions for legacy systems. No exceptions for “low-risk” accounts. The Change Healthcare attack started with a customer support account, not an administrator.

Hardware security keys provide stronger protection than SMS or app-based codes. For critical infrastructure, consider requiring hardware tokens.

Why Should You Monitor for Stolen Credentials?

The stolen credentials likely appeared on dark web marketplaces before the attack. Dark web monitoring would have caught them.

Compromised credential monitoring catches exposed passwords before attackers exploit them. Early detection enables password rotation. The attack window closes before exploitation occurs.

Third-party cyber risk management extends this monitoring to vendors. Change Healthcare was a vendor to thousands of US healthcare providers. Their breach disrupted providers nationwide.

Why Should You Assume Ransomware Payments Won’t Work?

The $22 million payment did not prevent data publication. Criminal organizations are unreliable partners.

Prevention is cheaper than hoping payment works. Maintain offline backups and plan for recovery without decryption keys. If you do pay, assume the data will still leak.

The Change Healthcare case demonstrates that even substantial payments provide no guarantee. The data ended up on leak sites anyway.

Why Must You Segment Networks to Limit Lateral Movement?

Nine days of undetected lateral movement enabled the attackers to reach systems far beyond their initial access point. A customer support credential should not provide access to core data stores.

Network segmentation limits the blast radius of compromised credentials. Zero trust architectures assume breach and verify access at every step. Monitoring for unusual lateral movement detects attackers earlier.

Conclusion

The Change Healthcare breach shows how a single stolen password without MFA protection can cascade into the largest healthcare data breach in US history. 190 million Americans affected. $2.9 billion in costs. A ransom payment that failed to protect any stolen data.

Key lessons for security teams:

• Enable MFA everywhere: No remote access portal should rely solely on passwords. The Citrix portal without MFA became the entry point.
• Monitor for credential exposure: Stolen credentials appear on dark web markets before attacks. Detection enables prevention.
• Assume payments fail: The $22 million ransom didn’t protect the data. Invest in prevention instead.
• Segment networks: Limit lateral movement to contain compromises. Nine days of undetected access enabled massive data theft.
• Monitor third-party risk: Change Healthcare was a vendor to thousands. Their breach disrupted US providers nationwide.

The healthcare industry faces unique pressures from ransomware attackers who know system downtime affects patient care. Preventing data breaches in healthcare requires both technical controls and recognition that this sector remains a primary target.

Check if your credentials have been exposed with a dark web scan.