Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2024breachCorporation

Change Healthcare — One-Third of US Healthcare, One Missing MFA

ALPHV/BlackCat ransomware attack disrupted healthcare payments across the entire United States for weeks. Pharmacies couldn't process prescriptions. Hospitals couldn't verify insurance. One company processes one-third of all US healthcare claims.

2 min read
Root Cause

Attackers used compromised credentials to access a Citrix remote access portal that lacked multi-factor authentication. Change Healthcare processes approximately 15 billion healthcare transactions annually — roughly one-third of all US healthcare claims.

Aftermath

Estimated $1.6+ billion in costs to UnitedHealth Group. $22 million ransom paid. Weeks of nationwide healthcare payment disruptions. 100+ million patient records potentially affected. Congressional hearings on healthcare IT concentration risk.

The Incident

In February 2024, the ALPHV/BlackCat ransomware group breached Change Healthcare — a subsidiary of UnitedHealth Group that processes approximately 15 billion healthcare transactions annually, representing roughly one-third of all healthcare claims in the United States.

The impact was immediate and nationwide. Pharmacies couldn't process prescription claims. Hospitals couldn't verify patient insurance. Physicians couldn't submit claims for reimbursement. Small medical practices — dependent on timely claim payments — faced cash flow crises within days. The disruption lasted weeks.

The Root Cause

The attackers gained initial access through a Citrix remote access portal that did not have multi-factor authentication enabled. A single set of compromised credentials — obtainable through phishing, credential stuffing, or purchase on dark web markets — provided access to systems that process one-third of American healthcare payments.

UnitedHealth Group CEO Andrew Witty confirmed in Congressional testimony that the Citrix portal lacked MFA. When asked why, the answer was that Change Healthcare's systems were in the process of being integrated following UnitedHealth's acquisition, and MFA had not yet been deployed to all legacy systems.

Why It Matters

One-third of US healthcare claims flow through a single company. That company's critical remote access system had no MFA. A single credential compromised the healthcare payment system for an entire country. The concentration of healthcare IT infrastructure in a small number of companies means that the failure of any one of them is not an organizational incident — it is a national healthcare disruption.

Techniques
compromised credentialsno mfasingle point of failure