Breach Teardown
What Caused the Change Healthcare Breach?
The largest healthcare data breach ever reported to US regulators started with one set of stolen credentials used against a remote access portal that had no multi-factor authentication. That single gap became a nationwide outage of pharmacy and claims processing and, per HHS, a breach affecting roughly 192.7 million people.
- Scale
- 192.7M individuals (per HHS OCR)
- Attack vector
- Stolen credentials on an MFA-less remote access portal
- IAM domains implicated
- Auth/SSO, Security, PAM
- Domino controls hit
- 3 of 4
The Incident
What Happened
In February 2024, the ALPHV/BlackCat ransomware operation compromised Change Healthcare, the UnitedHealth Group subsidiary that processes a large share of US medical claims. In written testimony to the US Senate, UnitedHealth Group’s CEO stated that the attackers used compromised credentials to access a Citrix remote access portal that did not have multi-factor authentication enabled.
The attackers moved laterally inside the environment for roughly nine days before deploying ransomware on February 21, 2024. The encryption event forced Change Healthcare to disconnect systems that pharmacies, hospitals, and clinics across the country depend on for claims, eligibility checks, and payment processing. The outage stretched for weeks, and UnitedHealth confirmed paying a ransom.
The US Department of Health and Human Services’ Office for Civil Rights opened an investigation and maintains a public FAQ on the incident. Its breach count was revised upward repeatedly as notifications progressed, reaching approximately 192.7 million individuals, the largest breach of protected health information ever reported to the agency.
Attack Chain
How the Attack Compounded
Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.
Attackers obtain working credentials for a Citrix remote access portal.
The portal has no MFA, so the stolen password alone grants remote access to the environment.
AUTH-01
Attackers move laterally and escalate privileges for roughly nine days without being detected or evicted.
SEC-01
Elevated access lets the intruders reach and stage core claims-processing systems.
PAM-01
Ransomware detonates. Restoring identity and core infrastructure takes weeks, with no fast recovery path.
SEC-02
Control Mapping
The IAM Controls That Failed
Every failure point below corresponds to a control in the AXIS question bank, the same 4 controls a maturity assessment would have scored before this incident.
| Control | Domain | Capability | How it failed here |
|---|---|---|---|
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | The remote access portal accepted a password alone. MFA coverage is measured across every external entry point, not just the primary SSO flow, and this portal was the gap that mattered. |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | Nine days of post-compromise lateral movement went undetected. Between initial access and encryption there was no effective identity threat detection and response loop. |
| PAM-01 Domino | PAM | Admin Credential Protection | One remote foothold became environment-wide impact, which implies administrative credentials were reachable and reusable once inside rather than vaulted, isolated, and monitored. |
| SEC-02 | Security | Identity Resilience & Disaster Recovery | Recovery took weeks and forced a nationwide outage. Tested restore paths for the systems that authenticate everything else were not in place at the required scale. |
The Maturity Lesson
What Would Have Changed the Outcome
The Domino Effect
Adaptive MFA (AUTH-01) is a domino control in the AXIS model: score level 0 on any internet-facing entry point and the overall program score caps at 1.0, whatever the other domains look like. Change Healthcare is the clearest public illustration of why. Investment elsewhere stopped mattering the moment a single portal accepted a bare password.
The Maturity Level That Mattered
At AXIS maturity level 2 on AUTH-01, MFA is consistently enforced on all remote access paths, which stops the initial login outright. At level 2 on SEC-01, identity-centric detection has nine days of lateral movement to catch before encryption.
The deeper lesson is about coverage rather than capability. The organization owned MFA technology; maturity is measured at the weakest externally reachable path. An assessment that samples only the primary login flow misses the portal that ends up in the incident report.
Related Compliance Frameworks
The controls implicated in this breach carry citations in these frameworks within the AXIS bank:
About This Analysis
This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at Change Healthcare. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with Change Healthcare.
More From the Breach Radar
Would Your Program Have Caught This?
The 4 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.