One Missing MFA: The Change Healthcare Breach and the Cost of a Single Control Gap

By the time the scale was confirmed in 2025, the Change Healthcare breach had become the largest healthcare data breach ever recorded — affecting on the order of 192.7 million individuals, more than half the population of the United States. The disruption rippled through pharmacies, hospitals and clinics for weeks; providers could not process claims or get paid. And the root cause, as established in subsequent testimony and reporting, was almost insultingly simple: a remote-access portal without multi-factor authentication.

What happened

Change Healthcare, a unit of one of the largest healthcare conglomerates in the world, processes a huge share of US medical claims — it sits at a chokepoint of the entire system. The ALPHV/BlackCat ransomware operation gained initial access through a Citrix remote-access environment that, by the company's own account, was not protected by MFA. With that foothold, the attackers moved laterally, exfiltrated enormous volumes of sensitive health and personal data, and detonated ransomware that took critical services offline. A reported eight-figure ransom followed. One missing control on one portal; a national healthcare emergency on the other end.

The lesson is not "turn on MFA" — it is everything around it

It is tempting to reduce this to a slogan, but the deeper lessons are about why a single gap existed and why it was allowed to be so catastrophic:

• Coverage, not adoption, is the metric. Change Healthcare almost certainly "had MFA" as a policy. What they had was a gap in coverage — one internet-facing access point the policy didn't reach. I have written before that exceptions are where assessments live or die. This is the multi-billion-dollar version of that sentence. The number that matters is not "do we have MFA" but "show me everything that authenticates without it, and your rationale for each."
• Internet-facing remote access is the highest-priority surface there is. A Citrix or VPN portal is a door onto the open internet. Any such surface without phishing-resistant MFA is not a finding to schedule — it is a fire.
• Blast radius turned a breach into a catastrophe. Initial access through one portal should not grant the run of an organisation that processes a third of a nation's medical claims. The damage was a function of what happened after entry: flat access, insufficient segmentation, and standing privilege that let attackers move from a remote-access foothold to the crown jewels.

What I would walk out and check today

• Enumerate every authentication surface, especially internet-facing ones. VPNs, Citrix/VDI gateways, legacy portals, SaaS admin consoles, anything an attacker can reach from outside. Confirm MFA on every one, and treat every exception as a tracked, owned, time-boxed risk.
• Make remote-access MFA phishing-resistant. Given adversary-in-the-middle phishing and session theft, basic OTP is the floor, not the goal, for your front door.
• Pressure-test blast radius. Assume one remote-access account is compromised tomorrow. How far does it reach? If the answer is "most of the environment," your identity problem is segmentation and standing privilege, not just the login.
• Hunt for the forgotten doors. The dangerous gap is never the system everyone watches — it is the legacy portal nobody remembers owning. Decommissioning discipline and complete asset visibility are what surface these before an attacker does.
• Govern third-party and acquired access. Large conglomerates inherit access surfaces through acquisitions and partners. The portal you didn't build is exactly the one that lacks your controls.

The takeaway

Change Healthcare is the definitive modern argument that identity controls are not an IT hygiene item — they are systemic risk management. A single authentication gap, on a single portal, in a single subsidiary, cascaded into the largest healthcare breach in history because the controls around it — coverage discipline, phishing-resistant MFA, segmentation, least privilege — were not there to contain it. The work that prevents the next one is unglamorous and entirely within reach: know every door, put strong identity on all of them, and make sure that getting through one never means getting through all of them.