Breach Teardown

Healthcare
2024

What Caused the Change Healthcare Breach?

The largest healthcare data breach ever reported to US regulators started with one set of stolen credentials used against a remote access portal that had no multi-factor authentication. That single gap became a nationwide outage of pharmacy and claims processing and, per HHS, a breach affecting roughly 192.7 million people.

Scale
192.7M individuals (per HHS OCR)
Attack vector
Stolen credentials on an MFA-less remote access portal
IAM domains implicated
Auth/SSO, Security, PAM
Domino controls hit
3 of 4

The Incident

What Happened

In February 2024, the ALPHV/BlackCat ransomware operation compromised Change Healthcare, the UnitedHealth Group subsidiary that processes a large share of US medical claims. In written testimony to the US Senate, UnitedHealth Group’s CEO stated that the attackers used compromised credentials to access a Citrix remote access portal that did not have multi-factor authentication enabled.

The attackers moved laterally inside the environment for roughly nine days before deploying ransomware on February 21, 2024. The encryption event forced Change Healthcare to disconnect systems that pharmacies, hospitals, and clinics across the country depend on for claims, eligibility checks, and payment processing. The outage stretched for weeks, and UnitedHealth confirmed paying a ransom.

The US Department of Health and Human Services’ Office for Civil Rights opened an investigation and maintains a public FAQ on the incident. Its breach count was revised upward repeatedly as notifications progressed, reaching approximately 192.7 million individuals, the largest breach of protected health information ever reported to the agency.

Attack Chain

How the Attack Compounded

Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.

  1. Attackers obtain working credentials for a Citrix remote access portal.

  2. The portal has no MFA, so the stolen password alone grants remote access to the environment.

    AUTH-01

  3. Attackers move laterally and escalate privileges for roughly nine days without being detected or evicted.

    SEC-01

  4. Elevated access lets the intruders reach and stage core claims-processing systems.

    PAM-01

  5. Ransomware detonates. Restoring identity and core infrastructure takes weeks, with no fast recovery path.

    SEC-02

Control Mapping

The IAM Controls That Failed

Every failure point below corresponds to a control in the AXIS question bank, the same 4 controls a maturity assessment would have scored before this incident.

AXIS controls that failed in the Change Healthcare breach, with domain, capability, and how each failed
ControlDomainCapabilityHow it failed here
AUTH-01
Domino
Auth/SSOAdaptive MFAThe remote access portal accepted a password alone. MFA coverage is measured across every external entry point, not just the primary SSO flow, and this portal was the gap that mattered.
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)Nine days of post-compromise lateral movement went undetected. Between initial access and encryption there was no effective identity threat detection and response loop.
PAM-01
Domino
PAMAdmin Credential ProtectionOne remote foothold became environment-wide impact, which implies administrative credentials were reachable and reusable once inside rather than vaulted, isolated, and monitored.
SEC-02SecurityIdentity Resilience & Disaster RecoveryRecovery took weeks and forced a nationwide outage. Tested restore paths for the systems that authenticate everything else were not in place at the required scale.

The Maturity Lesson

What Would Have Changed the Outcome

The Domino Effect

Adaptive MFA (AUTH-01) is a domino control in the AXIS model: score level 0 on any internet-facing entry point and the overall program score caps at 1.0, whatever the other domains look like. Change Healthcare is the clearest public illustration of why. Investment elsewhere stopped mattering the moment a single portal accepted a bare password.

The Maturity Level That Mattered

At AXIS maturity level 2 on AUTH-01, MFA is consistently enforced on all remote access paths, which stops the initial login outright. At level 2 on SEC-01, identity-centric detection has nine days of lateral movement to catch before encryption.

The deeper lesson is about coverage rather than capability. The organization owned MFA technology; maturity is measured at the weakest externally reachable path. An assessment that samples only the primary login flow misses the portal that ends up in the incident report.

Related Compliance Frameworks

The controls implicated in this breach carry citations in these frameworks within the AXIS bank:

Sources

About This Analysis

This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at Change Healthcare. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with Change Healthcare.

Would Your Program Have Caught This?

The 4 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.