What the Change Healthcare Attack Taught Every Healthcare Organization That Was Paying Attention
In February 2024, attackers associated with the ALPHV/BlackCat ransomware group gained access to Change Healthcare’s systems through a single Citrix remote access portal that had no multi-factor authentication enabled. Nine days later, they deployed ransomware. The resulting breach affected approximately 190 million Americans, making it the largest healthcare data breach in U.S. history and the most consequential cyberattack ever launched against the American healthcare system.
The American Hospital Association called it exactly that. Congressional leaders said the breach was “tantamount to targeting the health care system in its entirety.” The disruption to billing and claims processing cost providers an estimated $100 million per day in revenue losses. Some smaller practices came close to insolvency.
More than two years later, the lessons from Change Healthcare have not been fully absorbed. If they had been, the numbers would look different. In 2025, 605 healthcare breaches were reported to the Department of Health and Human Services, affecting more than 44 million Americans. The patterns of failure are not changing. The names on the breach reports are.
The Entry Point Was Preventable
The single most important fact about the Change Healthcare attack is the one that UnitedHealth Group CEO Andrew Witty confirmed under Senate testimony: the attackers got in because one portal lacked multi-factor authentication.
Not because of a sophisticated zero-day exploit. Not because of a nation-state-level operation beyond anyone’s ability to stop. Because of a missing security control that is available, affordable, and has been a recognized best practice for years.
This is exactly the kind of gap DAS Health closes before attackers find it. MFA deployment across every system that touches patient data, including internal systems, not just remote access portals, is a foundational element of the DAS cybersecurity program. We do not treat it as optional or phase it in over time. We treat it as the minimum viable baseline it has always been.
The updated HIPAA Security Rule, expected to be finalized in May 2026, will make this mandatory. For the organizations we work with, it already is.
The Data Was Unencrypted
According to analysis by the American Hospital Association, 100% of the hacked data in the Change Healthcare breach and other reported attacks was not encrypted, either because stolen credentials granted access to encrypted systems, or because the data was stored in an unencrypted format outside the EHR. The new HIPAA Security Rule will require encryption of ePHI both at rest and in transit, eliminating the flexibility that allowed unencrypted storage to persist in so many environments.
DAS Health manages encryption as part of a unified security posture, not as a standalone project. We know where our clients’ ePHI lives, how it moves across systems, and where it is stored outside the primary EHR. That visibility is what makes encryption implementation systematic rather than reactive.
The Breach Cascaded Through the Supply Chain
Change Healthcare does not deliver clinical care. It processes billing and insurance transactions for hundreds of thousands of hospitals, pharmacies, and medical practices nationwide. When it went down, the entire revenue cycle for a significant portion of the U.S. healthcare system went with it.
More than 80% of stolen protected health information in healthcare breaches over the past several years was stolen not from hospitals but from third-party vendors, software services, business associates, and non-hospital providers. The perimeter organizations think they are defending is not the perimeter attackers are targeting.
DAS Health maps vendor relationships and third-party risk as part of every client engagement. We review business associate agreements, assess vendor security postures, and build monitoring protocols that account for supply chain exposure. When a vendor incident triggers your compliance obligations, you need to know about it immediately, not weeks after the fact.
The Dwell Time Was Nine Days
Attackers had access to Change Healthcare’s systems for nine days before deploying ransomware. That is nine days during which continuous monitoring could have detected anomalous behavior and triggered a response. Most healthcare organizations do not have 24/7 monitoring in place.
DAS Health operates a Security Operations Center that provides continuous monitoring of client environments, surfacing indicators of compromise in near real time. For practices that cannot build that capability internally, our managed SOC delivers the same protection without the overhead of a dedicated internal team. Nine days of undetected lateral movement becomes a same-day alert.
What Has to Change
The Change Healthcare attack was not a black swan event. It was a predictable outcome of known vulnerabilities. MFA was missing. Data was unencrypted. Monitoring was insufficient. Vendor dependencies were not mapped to risk. Each of those failures is addressable. DAS Health addresses all of them, as an integrated program built specifically for healthcare, not a set of generic IT controls retrofitted to a clinical environment.
The attack that brought down the U.S. healthcare system got in through a missing MFA control. If you do not know where your gaps are, you are making the same bet Change Healthcare made. Talk to a DAS Health cybersecurity expert today and find out exactly where your organization stands before an attacker does.
Frequently Asked Questions
How did the Change Healthcare attack happen?
Attackers gained access through a Citrix remote access portal that lacked multi-factor authentication. They moved laterally for nine days before deploying ransomware, exfiltrating approximately six terabytes of data.
How many people were affected by the Change Healthcare breach?
Approximately 190 million Americans had their personal and health information exposed, making it the largest healthcare data breach in U.S. history.
What security controls would have prevented the Change Healthcare attack?
Multi-factor authentication on the compromised portal would have blocked the initial access. Continuous monitoring could have detected the nine-day lateral movement period before ransomware was deployed. Encryption of ePHI would have significantly reduced the impact of the data theft.