CISO ADVISORS · SECURITY BRIEFING
UHG / Optum /
Change Healthcare
Breach
Lessons Learned — 2024
The largest healthcare data breach in US history and what every organization must do now
Ed Moore, CISSP · CISM · C-CISO · CEH | CISO Advisors | cisoadvisors.com
CISO Advisors · cisoadvisors.com · Confidential
1 / 12
CA
BREACH OVERVIEW
What Happened — The Facts
February 2024: A single compromised credential brought down US healthcare payment infrastructure
CISO Advisors · cisoadvisors.com · Confidential
2 / 12
$22B+
Revenue impact
Change Healthcare processes 15B+ transactions/yr
1 in 3
Americans affected
~190M patient records compromised
9 months
Full recovery time
Providers still experiencing disruptions
1
Credential theft
Attackers obtained valid Citrix remote access credentials — no MFA was required on this Citrix portal
2
Lateral movement
Used valid credentials to move through Change Healthcare network for weeks before deploying ransomware
3
ALPHV/BlackCat ransomware
Ransomware deployed across systems — Change Healthcare paid ~$22M ransom to ALPHV
4
Affiliate double extortion
ALPHV exit-scammed affiliates; RansomHub also claimed data and demanded additional payment
CA
ROOT CAUSE ANALYSIS
Why It Happened — The Security Failures
Every single failure was preventable with standard security controls
CISO Advisors · cisoadvisors.com · Confidential
3 / 12
No MFA on Citrix Remote Access Portal
A single set of stolen credentials was all that was needed. No MFA = no second check.
✓ Enable MFA on ALL remote access systems — no exceptions, ever
Flat Network Architecture
Attackers moved laterally with minimal friction. No meaningful network segmentation between Change Healthcare and UHG/Optum systems.
✓ Implement micro-segmentation; zero-trust network architecture
No EDR on Critical Systems
ALPHV operated in the environment for an extended period before detection. Endpoint detection was absent or ineffective on key servers.
✓ Deploy EDR (CrowdStrike, SentinelOne) on 100% of endpoints including servers
Privileged Access Not Properly Controlled
Credentials with extensive access privileges were available and used by attackers to traverse the environment.
✓ Privileged Access Management (PAM); just-in-time access; least privilege enforcement
Insufficient Third-Party Risk Oversight
UHG acquired Change Healthcare in 2022. Security posture assessment and integration was incomplete at time of breach.
✓ Mandatory security assessment within 90 days of any acquisition
Backup and Recovery Inadequate
Recovery took months — backup systems and restoration procedures were insufficient for an attack of this scale.
✓ Quarterly backup restore testing; air-gapped backups for critical systems
CA
HEALTHCARE IMPACT
The Downstream Damage to Healthcare Organizations
Even organizations NOT directly breached were severely impacted — this is the new supply chain reality
CISO Advisors · cisoadvisors.com · Confidential
4 / 12
Hospitals & Health Systems
Unable to process insurance claims — cash flow halted for weeks. Some rural hospitals near insolvency.
$100M–$1B+
Physicians & Medical Practices
Manual claim submission required; billing backlogs; emergency HHS loans needed for small practices.
$10K–$100K+/day
Pharmacies
Unable to verify prescription coverage; patients paying out of pocket; delayed medications for chronic conditions.
Operational disruption
Health Insurers / Payers
Claims processing backlogs; member service disruptions; provider disputes over delayed payments.
Operational + reputational
Lesson: Your third-party healthcare vendor IS your security perimeter. Their breach IS your breach.
CA
REQUIRED ACTIONS
What Every Organization Must Do Now
These are not optional — they are the direct lessons from the Change Healthcare breach
CISO Advisors · cisoadvisors.com · Confidential
5 / 12
P1
Enable MFA on ALL remote access — Citrix, VPN, RDP, SSH, cloud consoles
This week
P1
Audit and terminate unused remote access accounts and stale VPN credentials
This week
P1
Identify all critical third-party healthcare technology vendors — assess their security posture
30 days
P2
Implement network segmentation — isolate critical payment/claims processing systems
60 days
P2
Deploy EDR on all servers and endpoints — not just workstations
60 days
P2
Test backup restoration — can you recover critical systems in < 72 hours?
60 days
P3
Review and update Business Associate Agreements (BAA) with all HIPAA vendors
90 days
P3
Run tabletop exercise: 'Our clearinghouse/payment vendor is offline for 2 weeks'
90 days
CA
REGULATORY IMPACT
HIPAA Breach Notification & Regulatory Fallout
The Change Healthcare breach triggered the largest HHS enforcement scrutiny in history
CISO Advisors · cisoadvisors.com · Confidential
6 / 12
HHS OCR Investigation
UHG under investigation for HIPAA compliance; potential fines in hundreds of millions
Senate Hearings
CEO Andrew Witty testified before Senate Finance and HELP Committees in May 2024
Breach Notification
~190 million individuals required notification — largest HIPAA breach notification in history
HHS Emergency Funding
$2B+ in accelerated payments to healthcare providers affected by cash flow disruption
Proposed HIPAA Updates
HHS proposed significant HIPAA Security Rule updates directly citing this breach
State AGs
Multiple state attorneys general opened investigations into the breach
→ If you handle PHI, your HIPAA compliance program must be current, tested, and documented. OCR is actively auditing.
KEY TAKEAWAYS
Action Items & Next Steps
MFA on all remote access is non-negotiable — implement this week
Third-party risk is YOUR risk — Change Healthcare shows single-vendor dependency is existential
Network segmentation and EDR would have contained this breach
Healthcare organizations need tested backup/recovery — months is unacceptable
HIPAA enforcement is intensifying — your compliance program must be current
CISO Advisors · Ed Moore
emoore@cisoadvisors.org · cisoadvisors.com
CISO Advisors · cisoadvisors.com · Confidential
12 / 12