Change Healthcare — One-Third of US Healthcare, One Missing MFA

The Incident

In February 2024, the ALPHV/BlackCat ransomware group breached Change Healthcare — a subsidiary of UnitedHealth Group that processes approximately 15 billion healthcare transactions annually, representing roughly one-third of all healthcare claims in the United States.

The impact was immediate and nationwide. Pharmacies couldn't process prescription claims. Hospitals couldn't verify patient insurance. Physicians couldn't submit claims for reimbursement. Small medical practices — dependent on timely claim payments — faced cash flow crises within days. The disruption lasted weeks.

The Root Cause

The attackers gained initial access through a Citrix remote access portal that did not have multi-factor authentication enabled. A single set of compromised credentials — obtainable through phishing, credential stuffing, or purchase on dark web markets — provided access to systems that process one-third of American healthcare payments.

UnitedHealth Group CEO Andrew Witty confirmed in Congressional testimony that the Citrix portal lacked MFA. When asked why, the answer was that Change Healthcare's systems were in the process of being integrated following UnitedHealth's acquisition, and MFA had not yet been deployed to all legacy systems.

Why It Matters

One-third of US healthcare claims flow through a single company. That company's critical remote access system had no MFA. A single credential compromised the healthcare payment system for an entire country. The concentration of healthcare IT infrastructure in a small number of companies means that the failure of any one of them is not an organizational incident — it is a national healthcare disruption.