Change Healthcare: 192M Individuals Exposed, No MFA

In February 2024, the ALPHV/BlackCat ransomware group used stolen credentials to access a Citrix remote access portal at Change Healthcare, a subsidiary of UnitedHealth Group that processes approximately one-third of all US healthcare claims. The portal did not have MFA enabled.

The result was the largest healthcare data breach in US history, compromising the protected health information of approximately 192.7 million individuals, more than half the US population. UnitedHealth Group paid a $22 million ransom, only for the attacker affiliate to re-extort the company through a second ransomware group after ALPHV's infrastructure was seized by law enforcement.

The operational impact was catastrophic. Healthcare providers across the country could not process claims, verify insurance eligibility, or receive payments for weeks. Pharmacies could not fill prescriptions. The downstream financial impact is estimated in the billions.

One missing MFA configuration. One Citrix portal. 192.7 million individuals.

This is the incident we reference when organizations question the ROI of identity architecture investment. The absence of a single identity control on a single access point cascaded into a national-scale healthcare crisis. Identity architecture is not about perfection. It is about ensuring that the failure of any single control does not produce catastrophic outcomes.