When Credentials Fail: How Authentication Failure Led to the Change Healthcare Ransomware Attack

Written by Mitchell Langley

May 2, 2024

How Authentication Failure Led to the Change Healthcare Ransomware Attack

As ransomware attacks continue to grow in frequency and sophistication, the cybersecurity of enterprise networks is constantly being challenged. While multilayered defenses are indispensable, recent incidents continue to demonstrate that authentication can represent the weakest link, with devastating consequences when exploited.

Perhaps no case better illustrates this danger than the Change Healthcare ransomware attack in early 2024. As a critical third-party vendor serving hospitals, clinics and pharmacies nationwide, Change Healthcare processes highly sensitive healthcare claims and pharmacy transactions daily. When authentication failures allowed unauthorized access, the entire US healthcare sector was put at risk.

Over the ensuing weeks, the full impact of this breach became clear. Hospitals struggled to process payments and prior authorizations. Pharmacies faced backlogs in filling crucial prescriptions. And critically ill patients encountered delays in receiving necessary care – all due to encrypted systems and paralyzed operations at one of healthcare’s largest partners.

Change Healthcare Ransomware Attack: What happened?

On or around February 12, Change Healthcare, a subsidiary of UnitedHealth Group’s Optum division, fell victim to a ransomware attack.

The attack was attributed to the BlackCat/ALPHV ransomware group, causing disruption to hospitals, clinics, and pharmacies across the United States.

The attack impacted various aspects of Change Healthcare’s operations, including cash flow, pharmacy services, prior authorization of prescriptions, and claims processing.

In its latest update, the UnitedHealth Group admitted that files stolen contained protected health information or personally identifiable information.

The company also admitted to paying ransom to get the files back. This was supported by the fact that wallet associated with the BlackCat/ALPHV ransomware group saw a $22 million payment in Bitcoin.

Authentication Failure was the Root Cause of the Ransomware Attack

Investigations into the Change Healthcare ransomware attack revealed that an authentication failure played a crucial role in the breach.

Attackers compromised credentials on an application that allowed staff to remotely access systems. Shockingly, the application lacked multi-factor authentication controls, which are considered best practice in the industry.

This absence left the vulnerable application exposed and allowed the attackers to gain unauthorized access to Change Healthcare’s networks.

“It’s highly likely that the absence of multi-factor authentication allowed attackers to circumvent the security measures of UnitedHealth Group’s [Change] Healthcare unit,”

 “Initial reports suggest that the attackers remained undetected in the environment for over a week and conducted lateral movement.”

 “It’s probable that the attackers left some traces, or ‘breadcrumbs’, which went unnoticed by the UnitedHealth IT security team, thereby extending the breach exposure time.”

Azeem Aleem, MD for UK and EMEA at incident response and ransomware negotiation consultancy Sygnia said in a statement

Multi-Factor Authentication (MFA) Could Have Prevented it

Multi-factor authentication (MFA) is a security measure that adds an extra layer of protection to systems and applications.

It requires users to provide multiple forms of identification, such as finger print, unique ID, or a password and a unique code sent to their mobile device.

MFA significantly reduces the risk of unauthorized access, as it becomes much more challenging for attackers to bypass these additional security measures.

However, the absence of MFA in the remote access application used by Change Healthcare allowed the attackers to compromise credentials and remain undetected within the system for nine days.

This was an extended exposure time and highlights the importance of implementing robust security measures, including MFA, to prevent breaches and mitigate ransomware attacks.

Political and Regulatory Implications of Change Healthcare Ransomware Attack

The Change Healthcare ransomware attack has prompted investigations by the US Department of Health and Human Services (HHS) to determine if any healthcare sector privacy regulations were violated.

This incident has also sparked discussions about the need for baseline security standards in the healthcare sector against ransomware threats.  

Politicians and industry experts have expressed concerns about the increasing vulnerability of the healthcare sector due to consolidation and inadequate security measures.

The authentication failures that allowed hackers to breach Change Healthcare’s systems highlighted the dangers of deficient security practices.

As Matt Aldridge, principal solutions consultant at Opentext Cybersecurity, commented, “Acquisitions can be done well and can provide a checkpoint for security process validation if done correctly, however, if they are done on too tight a budget or too tight a timescale, problems can be encountered.”

UnitedHealth Group CEO Andrew Witty is set to testify before Congress on May 1st about the broader implications of the Change Healthcare data breach.

The Impact of Ransomware Attacks on Healthcare Sector

The wide-reaching impact of the Change Healthcare ransomware attack demonstrated how disruptive such breaches can be, especially in critical industries like healthcare.

In fact, according to Kroll’s Data Breach Outlook, healthcare has been the most breached industry sector in both 2022 and 2023.

George Glass, associate managing director at Kroll Cyber Risk, noted that over a quarter of healthcare organizations surveyed only employ basic security capabilities.

 “Unless the organisation is using a sizable team of security professionals, this can leave significant gaps in a healthcare organisation’s capability to detect and respond to threat actor intrusions,” Glass said.

Certain factors unique to the healthcare sector may also increase its vulnerability. For instance, Legacy equipment is harder to securely update and patch.

As Glass pointed out, “The use of operational technologies in healthcare environments can mean out-of-date operating systems and protocols to support them. This can enable threat actors to make lateral movements more easily.”

The Human Element in Ransomware Attacks

According to Verizon’s annual Data Breach Incident Report (DBIR), 74% of all breaches involve a human element, with credential theft playing a significant role.

Whether it’s falling for a phishing email, reusing compromised passwords, or failing to apply important updates, human fallibility creates opportunities for attackers.

In the case of the Change Healthcare ransomware attack, the attackers exploited the absence of MFA to compromise credentials and gain unauthorized access.

Once inside the network, attackers then counted on social engineering and manipulation to remain undetected as they moved laterally and deployed ransomware.

As Kroll pointed out, speed of response is also crucial – and this depends largely on human operators. When staff are tied up or unaware of an unfolding attack, the damage can multiply rapidly. Healthcare environments with lean security teams may be particularly vulnerable to ransomware threat actors who move quickly from system to system.

On the social engineering front, phishing schemes targeting healthcare, and ransomware posing as important medical alerts, also demonstrate how threat actors adapt to human assumptions and fears surrounding health data.

As connected devices and digital health records only expand the threat surface, continued education is pivotal. Organizations must account for routine human errors and socially-manipulable behaviors in their security plans.

Without addressing this root cause, no number of technical defenses may ever be enough to stem the tide of ransomware and other cyber incidents with a compromising human starting point.

Evolving Ransomware Threats Demand Vigilance

As recent ransomware attacks have shown, the risks to organizations continue to evolve rapidly.

Adversaries like Conti and BlackCat behind the Change Healthcare attack have expanded their capabilities, utilizing double extortion techniques to both encrypt and exfiltrate data for additional leverage. Without robust defenses and response plans in place, even the most security-conscious of organizations face potential fallibility when targeted.

It is also clear attackers are opportunistically turning their sights on critical infrastructure wherever vulnerabilities can be found. Healthcare systems represent high-value targets, processing indispensable data and responsible for essential public services. Defending these environments demands layered security tailored to each sector’s unique needs and risk posture.

As recent ransomware attacks show, complacency is not an option. Organizations must remain agile in response to changes in the threat landscape and tactics of motivated criminal groups.

Lessons from incidents like Change Healthcare, can help enhance resilience if translated into dynamic security hygiene and user awareness over the long term. Continuous improvement must be the watchword to avoid becoming the next victim of this evolving threat.


The Change Healthcare ransomware attack serves as a stark reminder of the ever-present threat of ransomware threats in today’s digital landscape.

For enterprises across industries, the lessons from this incident are clear. As the human element and phishing threats grow more sophisticated, strong, multifactor authentication must be non-negotiable for any access to sensitive networks or systems.

Yet even with robust credentials, defenses will remain vulnerable if proper authentication monitoring and analytics are lacking.

Ransomware attacks will continue to pose a significant threat to organizations, as demonstrated by the Change Healthcare ransomware attack.

By implementing robust security measures, including multi-factor authentication and a multi-layered approach to ransomware protection, organizations can enhance their defenses and mitigate the risk of falling victim to such ransomware attacks.

Frequently Asked Question (FAQs)

What is a ransomware attack?

A ransomware attack is a type of cyberattack where malicious actors infiltrate a system, encrypt data, and demand a ransom in exchange for its release. Ransomware attacks can cause significant disruption to organizations and result in financial losses.

What is multi-factor authentication (MFA)?

Multi-factor authentication is a security measure that requires users to provide multiple forms of identification to access a system or application. It adds an extra layer of protection by combining something the user knows (e.g., a password) with something they have (e.g., a unique code sent to their mobile device).

How does an authentication failure contribute to a ransomware attack?

An authentication failure can contribute to ransomware attacks by providing attackers with unauthorized access to a system or network. In the case of the Change Healthcare ransomware attack, an authentication failure in a remote access application allowed the attackers to compromise credentials and remain undetected within the system for an extended period.

What are the limitations of multi-factor authentication (MFA)?

While multi-factor authentication (MFA) is an essential tool in preventing cyberattacks, it is not foolproof. Threat actors continue to devise innovative ways to bypass MFA, including SIM-swapping, social engineering, and man-in-the-middle (MitM) attacks. Therefore, organizations must adopt a multi-layered approach to security that includes other defensive tools and strategies to enhance their defenses against ransomware attacks.

What are some best practices for ransomware protection?

  • Implement multi-factor authentication (MFA) for all systems and applications.
  • Regularly update and patch software to address any security vulnerabilities.
  • Educate employees about cybersecurity best practices, such as creating strong passwords and being cautious of phishing attempts.
  • Conduct regular security assessments to identify and address any weaknesses in the system.
  • Implement network segmentation to limit the spread of ransomware in case of an attack.
  • Develop and test an incident response plan to ensure a swift and effective response in the event of a ransomware attack.

What are some other defensive tools and strategies to enhance ransomware protection?

  • Use robust antivirus and anti-malware software to detect and prevent ransomware attacks.
  • Employ email filtering and spam detection to block malicious emails and attachments.
  • Backup critical data regularly and store backups offline or in a secure immutable and air gapped environment.
  • Implement intrusion detection and prevention systems to identify and block suspicious network activity.
  • Monitor network traffic and user behavior for any signs of unusual or malicious activity.

What are the political and regulatory implications of ransomware attacks in the healthcare sector?

Ransomware attacks in the healthcare sector have raised concerns about privacy regulations and security standards. Regulatory bodies, such as the US Department of Health and Human Services (HHS), may investigate these incidents to determine if any violations have occurred. The healthcare sector may face increased pressure to strengthen security measures and implement baseline security standards to protect sensitive patient data.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!