Lessons from Change Healthcare Breach: What to Know
Post Summary
The Change Healthcare breach in 2024 was the largest healthcare data breach in U.S. history, impacting 190 million Americans. Hackers exploited a Citrix portal without multi-factor authentication, stole 4 TB of sensitive data, and disrupted healthcare operations nationwide. UnitedHealth Group paid a $22 million ransom, but the data was leaked anyway, costing the company over $2.9 billion in total response efforts. Hospitals and medical practices across the country faced financial strain, with many small practices using personal funds to stay afloat.
Key takeaways:
- Multi-factor authentication (MFA) is critical for securing access points.
- Faster threat detection could have minimized damage.
- Over-reliance on a single vendor creates system-wide vulnerabilities, highlighting the need for automated vendor solutions to manage these risks.
- Stronger third-party risk management is essential to protect sensitive data.
- Paying a ransom doesn’t guarantee data security.
This breach highlights the urgent need for healthcare organizations to strengthen cybersecurity measures to protect patient data and maintain operational stability.
2024 Change Healthcare Breach Case Study
sbb-itb-535baee
The Change Healthcare Breach: What Happened
Change Healthcare Breach Timeline: February 2024 to January 2025
Timeline of Events
The breach at Change Healthcare began on February 12, 2024, when hackers gained access to the company's network using stolen credentials from a customer support employee. The entry point? A Citrix remote portal that lacked multi-factor authentication. For nine days, the attackers operated undetected, extracting around 4 TB of sensitive data before launching a ransomware attack on February 21.
| Date | Event |
|---|---|
| Feb 12, 2024 | Hackers gain access via Citrix portal (no MFA) |
| Feb 21, 2024 | Ransomware attack detected; systems shut down |
| Mar 3, 2024 | UnitedHealth Group pays $22 million in Bitcoin ransom |
| Mar 13, 2024 | UnitedHealth receives a "safe" copy of stolen data |
| Apr 15, 2024 | RansomHub demands a second ransom, begins leaking data |
| May 1, 2024 | CEO Andrew Witty testifies before Senate Finance Committee |
| Jun 20, 2024 | HIPAA breach notifications begin |
| Oct 24, 2024 | Affected count reaches 100 million |
| Jan 24, 2025 | Affected count revised to 190 million |
On March 5, 2024, the situation took a bizarre turn. ALPHV/BlackCat leaders disappeared with the $22 million ransom, leaving their hacking affiliate with nothing but the stolen data. Angry and unpaid, the affiliate joined a new group, RansomHub, and in April 2024, they demanded a second ransom. When that failed, they began leaking patient records online, escalating the crisis.
The fallout was massive, leading to nationwide disruptions across the healthcare industry.
Impact on Healthcare Operations
Change Healthcare plays a critical role in the U.S. healthcare system, handling electronic data exchanges for claims, eligibility checks, payments, and pharmacy benefits. So, when the company shut down its systems on February 21 to contain the breach, the effects rippled across the country.
Pharmacies couldn’t process prescriptions electronically, leaving patients to either pay cash upfront or rely on manual overrides. This even hit military pharmacies serving TriCare beneficiaries, disrupting medication access for service members and their families. Hospitals like Reid Health in Richmond, Indiana, scrambled to mobilize IT, finance, and clinical teams to manage revenue cycle issues, creating months-long backlogs.
The financial strain was staggering. 94% of hospitals reported significant financial impacts, with 33% saying more than half of their revenue was affected. Smaller medical practices were hit particularly hard - 55% of practice owners had to dip into personal funds to cover payroll. To ease the burden, UnitedHealth Group advanced over $9 billion to healthcare providers, helping them stay afloat during the crisis.
Financial and Legal Consequences
The breach quickly spiraled into a financial and legal nightmare for UnitedHealth Group. The company racked up over $2.9 billion in direct response costs, including system rebuilding, forensic investigations, and operational losses. And the $22 million ransom? It didn’t even secure the stolen data.
Legal troubles mounted as well. A multi-district litigation (MDL) was filed in the District of Minnesota (Case No. 24-MD-03108), accusing the company of negligence in protecting sensitive health information. A U.S. District Court Judge went so far as to call Optum’s communications with providers "misleading" [4].
The Department of Health and Human Services Office for Civil Rights also launched HIPAA investigations. Breach notifications began in June 2024 and continued through January 2025 as the number of affected individuals grew from "tens of millions" to a staggering 192.7 million - roughly two-thirds of the U.S. population.
The Change Healthcare breach wasn’t just a cybersecurity incident - it was a full-blown crisis with far-reaching consequences for the entire healthcare system.
Security Weaknesses Exposed by the Breach
The Change Healthcare breach revealed critical security gaps, serving as a cautionary tale for healthcare organizations. Let’s break down the specific vulnerabilities - both technical and organizational - that played a role in this incident.
Missing Multi-Factor Authentication (MFA)
At the heart of the breach was a glaring oversight: a Citrix remote access portal without multi-factor authentication. Attackers exploited this weakness by using stolen credentials from a support employee to gain access on February 12, 2024. Since the portal relied solely on a username and password, the login appeared legitimate.
"The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data." - UnitedHealth Group [5]
This vulnerability highlights a common issue - outdated systems inherited during acquisitions that fail to meet modern security standards. In this case, a single stolen password was all it took to breach the system.
Slow Detection and Response
The breach wasn’t just about how attackers got in; it was also about how long they went unnoticed. Once inside, the attackers roamed freely for nine days, from February 12 to February 21, 2024. During this time, they escalated privileges, identified sensitive data, and exfiltrated 4 TB of information before deploying ransomware [1].
Weak monitoring systems and a lack of internal segmentation allowed a low-level account to access critical systems, amplifying the breach’s impact. This delay in detection is part of a broader issue, as studies show that 74% of security breaches are tied to human factors, such as compromised credentials [6]. The extended response time not only worsened the breach but also added to the operational and financial fallout.
Dependence on a Single Vendor
The breach also underscored a systemic issue within the healthcare industry: over-reliance on a single vendor. Change Healthcare processes 15 billion healthcare transactions annually, accounting for about one-third of all U.S. patient records [1][2]. When the company shut down its systems on February 21 to contain the breach, the ripple effects were felt nationwide.
"This incident was a stark reminder of unresolved vulnerabilities involving vendors, third parties, and partners – issues long debated but largely unaddressed." - Scott Mattila, CISO and COO, Intraprise Health [2]
The impact was staggering. Ninety-four percent of hospitals reported significant financial strain [1], and UnitedHealth had to inject over $9 billion to keep providers afloat. The concentration of critical infrastructure in a single vendor created a massive point of failure. When that vendor was compromised, the entire healthcare system felt the shock.
Lessons Learned: How to Close Security Gaps
Addressing the exposed vulnerabilities requires a set of focused actions to reduce risks and strengthen security measures.
Lesson 1: Require MFA Across All Access Points
The breach stemmed from a Citrix portal that lacked multi-factor authentication (MFA). To prevent similar incidents, conduct a thorough audit of all network entry points, especially those linked to mergers or acquisitions. Implement MFA on remote access portals, VPNs, and legacy systems. For critical infrastructure, hardware security keys should take priority over SMS or app-based authentication. Additionally, MFA and automated credential rotation should be extended to non-human identities.
"MFA deployment is essential. It's the front line in ensuring that users are who they claim to be." – Mark Allen, Head of Cybersecurity, CloudCoCo [6]
Complement these efforts with dark web monitoring to identify compromised credentials early and use network segmentation to limit the potential damage of a breach.
Lesson 2: Improve Threat Detection and Response
In the Change Healthcare case, attackers went undetected for nine days[1]. Speeding up threat detection is critical to protecting data and reducing operational disruptions. Deploy advanced endpoint detection and response (EDR) tools, implement network segmentation to contain breaches, and adopt a zero trust architecture that continuously verifies access requests.
"Enhancing endpoint detection and response capabilities is also crucial." – Dr. Michael Poku, Chief Clinical Officer, Equality Health [2]
Automate response triggers to activate incident protocols immediately. Align cyber incident response, emergency management, and business continuity plans to ensure coordinated action during crises. Regular penetration testing, especially for backups and restoration processes, is essential. Train "downtime coaches" to maintain clinical operations during prolonged outages. Use frameworks like the HHS Cybersecurity Performance Goals to measure preparedness effectively.
Lesson 3: Diversify Vendors and Supply Chains
Relying too heavily on a single vendor can create a critical weak point. Following the incident, 94% of hospitals reported financial strain[1], while UnitedHealth Group had to inject over $9 billion to support providers during the crisis.
To mitigate this risk, map out dependencies and identify single points of failure that could disrupt operations. Build redundancy across payers, clearinghouses, and electronic health record (EHR) systems. Develop business continuity plans that assume a minimum of 30 days of downtime for any critical third-party service.
"Payers, providers, clearinghouses, EHRs and revenue cycle companies need to establish redundancy and create multiple layers of protection to both defend against and respond to the ever-present threat of cyberattacks." – Jett Reidy, Chief Product and Technology Officer, EnableComp [2]
Test these plans regularly with real-world drills to ensure they are effective and actionable.
Lesson 4: Strengthen Third-Party Risk Management
In 2024, 88% of major healthcare data breaches involved third parties or business associates[3]. Cybercriminals are increasingly targeting centralized vendor hubs, as compromising one partner can open doors to multiple connected organizations.
Traditional vendor management practices are no longer sufficient. A systematic approach is needed to map, prioritize, and continuously monitor vendors and subcontractors based on the criticality of their services and the sensitivity of the data they handle.
Censinet RiskOps™ offers a centralized platform for automating third-party risk assessments, benchmarking cybersecurity practices, and managing risks tied to patient data, clinical applications, and supply chains. Continuous monitoring helps identify risks as they emerge rather than relying on periodic assessments.
Review and update Business Associate Agreements (BAAs) to include clear incident reporting protocols, financial liability coverage, and defined technical responsibilities. Security frameworks like HITRUST and the HHS Cybersecurity Performance Goals can standardize security requirements across the supply chain, enhancing overall operational security.
Lesson 5: Prepare for Ransom Scenarios
Paying a ransom - like the $22 million in this case - does not guarantee data recovery or prevent further extortion attempts. Instead, focus on creating robust offline contingency plans. Maintain secure, air-gapped backups that cannot be accessed by attackers, and regularly test restoration procedures under real-world conditions.
"The decision to pay a ransom was mine. This was one of the hardest decisions I've ever had to make, and I wouldn't wish it on anyone." – Andrew Witty, CEO, UnitedHealth Group [5]
Establish clear communication protocols involving legal teams, law enforcement, and executive leadership for a well-coordinated response. Familiarize yourself with HIPAA and state breach notification requirements to ensure rapid and compliant action when incidents occur.
How Censinet RiskOps™ Helps Apply These Lessons
Healthcare organizations face the challenge of managing hundreds of vendor relationships while upholding strict security protocols. The Change Healthcare breach is a stark reminder of how a single compromised vendor can ripple into a crisis, impacting 190 million healthcare consumers [3]. Censinet RiskOps™ simplifies the process of identifying, assessing, and managing risks, offering a direct response to the vulnerabilities highlighted by incidents like this.
Automating Third-Party Risk Assessments
Managing vendor vulnerabilities effectively requires dynamic assessments, and manual processes simply can't keep up with the sheer volume of vendor relationships. This is where Censinet Connect™ steps in. By automating the assessment process, it allows vendors to complete third-party risk assessment questions and questionnaires in seconds rather than weeks. Its AI-driven evidence validation ensures that critical security controls - like multi-factor authentication (MFA) - are in place by automatically verifying documentation and protections.
This automation tackles the "hub and spoke" threat model, where attackers exploit a central vendor to infiltrate numerous downstream organizations [3]. By streamlining these evaluations, healthcare organizations can monitor vendors and subcontractors continuously, catching vulnerabilities before they become threats.
Improving Risk Visibility and Benchmarking
Censinet RiskOps™ provides real-time risk visibility by consolidating data from internal and third-party systems into a single dashboard. This centralized view allows organizations to compare their cybersecurity posture against industry benchmarks, such as the HHS Cybersecurity Performance Goals. Leadership gains access to clear, actionable metrics, enabling better decision-making.
With predictions suggesting that 88% of major breaches in 2024 will involve third parties [3], it's crucial to identify which vendors handle sensitive data or support critical operations. This level of insight helps organizations allocate resources wisely and prepare for potential incidents, building a foundation for scalable and effective risk management.
Scaling Risk Management Operations
For organizations processing billions of transactions annually - like Change Healthcare - scaling risk management is non-negotiable. Censinet offers flexible options to meet different needs: Platform (for in-house teams), Hybrid Mix (combining software with managed services), and Managed Services (fully outsourced risk management). These options allow organizations to align their risk management strategies with available resources and expertise, ensuring strong threat detection and operational resilience. This adaptability strengthens cybersecurity defenses against systemic vulnerabilities, keeping operations secure and efficient.
Conclusion: Moving Forward with Better Security
The recent breach shed light on critical vulnerabilities within a major healthcare network, revealing just how damaging gaps in cybersecurity can be. Without multi-factor authentication (MFA) and relying on a legacy server, attackers were able to steal terabytes of sensitive data, disrupt billions of transactions, and render a $22 million ransom ineffective[1].
To prevent such incidents, healthcare organizations need to take decisive action. This includes implementing MFA across all systems, segmenting networks to limit the spread of attacks, and preparing for potential operational downtime. The breach also highlighted the risks of the "hub and spoke" model, where a single compromised vendor can affect thousands of connected organizations. Continuous monitoring and addressing healthcare supply chain security challenges is critical to mitigating these risks.
Platforms like Censinet RiskOps™ play a key role in addressing these challenges. By automating third-party risk assessments and improving visibility into potential threats, the platform helps healthcare organizations enforce essential security measures, such as MFA, and identify vulnerabilities before they lead to major crises.
The healthcare industry cannot afford to make the same mistakes again. Cybersecurity isn't just about protecting systems - it’s about safeguarding patient care, ensuring financial stability, and preserving trust in the healthcare system. By addressing these weaknesses now, organizations can secure their operations and protect the patients who rely on them.
FAQs
How can we confirm every remote access point has MFA enabled?
To make sure all remote access points are protected with Multi-Factor Authentication (MFA), begin by pinpointing every system and tool that supports remote login. Conduct a thorough audit to verify that MFA is enabled on each access point. Use monitoring tools to identify any potential gaps or vulnerabilities in your setup.
Stay on top of this by regularly updating access policies and scheduling periodic reviews to ensure ongoing compliance. Adopting a centralized identity management solution can simplify the process, helping you enforce MFA consistently across all access points.
What controls can detect a stolen-credential intrusion within hours?
Detecting a stolen-credential intrusion quickly hinges on using multi-factor authentication (MFA) for all remote access points. Alongside this, continuous monitoring for exposed credentials and suspicious login behavior is essential. The Change Healthcare breach serves as a stark reminder - without MFA, organizations leave themselves vulnerable, underscoring the need for proactive measures to spot and address threats promptly.
How can we reduce operational risk if a critical vendor is down for 30 days?
Healthcare organizations face unique challenges when dealing with a vendor outage, especially one lasting 30 days. To navigate this, strong risk management and contingency planning are essential.
Here’s what should be prioritized:
- Incident Response Plan: Ensure you have a clear, actionable plan in place to address disruptions quickly and effectively.
- Vendor Performance Monitoring: Keep a close eye on vendor reliability to identify potential issues before they escalate.
- Regular Risk Assessments: Assess risks frequently to stay prepared for unexpected scenarios.
Using tools like Censinet RiskOps™ can simplify oversight and improve your ability to respond swiftly. Additionally, having backup systems and alternative vendors lined up can help maintain critical healthcare operations and reduce the impact of disruptions. These steps are vital for ensuring continuity in patient care and operational stability.
