What happened
On February 12, 2024, attackers affiliated with the ALPHV/BlackCat ransomware group accessed Change Healthcare's network using stolen credentials for a Citrix remote access portal that had no multi-factor authentication enabled. The attackers moved laterally for nine days before deploying ransomware on February 21, 2024.
UnitedHealth Group, Change Healthcare's parent company, paid a $22 million ransom and ultimately estimated the financial impact at approximately $872 million. The incident is the largest healthcare breach in US history, with disclosed records affecting more than 190 million Americans.
The timeline of events: initial credential-based access on February 12, nine days of lateral movement and data exfiltration through February 21, ransomware deployment that day, public identification of the intrusion by UnitedHealth on March 13, and CEO testimony to the Senate Finance Committee on May 1, 2024 confirming the missing MFA as root cause. Victim notification proceeded across the affected population from June through December 2024.
The IAM control that failed
The foundational failure was an Access Management control: MFA was not enforced on the Citrix remote access portal.
UnitedHealth CEO Andrew Witty's prepared Senate testimony stated that the Citrix portal "did not have multi-factor authentication," and that the company's policy was that all external-facing systems should have MFA enabled. The portal had been inherited through an earlier acquisition and had not been fully integrated into UnitedHealth's security controls. The CEO confirmed under oath that the company was still investigating why this specific portal had been missed at the time of the breach.
Underneath that authentication failure sits a deeper inventory failure. The Citrix portal in question was acquired with Change Healthcare and had remained outside the parent company's MFA enforcement coverage. The organization did not have a complete and accurate inventory of remote access entry points that mapped to its MFA enforcement policy. A policy stating that all external systems require MFA is not a control. The mapping from policy to enforced reality is the control, and that mapping had a gap.
A third failure shaped the impact rather than the entry. After initial access, the attackers operated within the network for nine days before deploying ransomware. This window points to gaps in privileged access monitoring, anomaly detection, or alerting on unusual administrative activity. The public record does not specify which controls were in scope at this layer or which specifically failed, so we treat lateral movement detection as a contributing factor rather than a confirmed control failure.
What a competent IAM program would have caught
Three controls would have changed this outcome.
A complete inventory of external-facing access points, refreshed quarterly and reconciled against actual production traffic, would have surfaced the Citrix portal as an exception before the breach. The portal was known to exist, but it was not on a list that mapped to the MFA-enforcement policy.
Enforced MFA on every entry in that inventory, with no policy exceptions tolerated past a defined remediation window, would have closed the entry vector. The compromised credentials would have been insufficient on their own.
Detection on lateral movement and privilege escalation, with alerting tuned to identify the kind of activity that precedes ransomware deployment, would have shortened or interrupted the nine-day dwell time. The breach would still have happened, but the blast radius would have been smaller.
None of these are exotic controls. They are basic IAM hygiene applied with discipline against an actual environment, not against an idealized one.
Open questions
Several details remain outside the public record.
Why the specific Citrix portal was missed during acquisition integration has not been disclosed beyond "still investigating" at the time of CEO testimony.
Whether other remote access portals were similarly exposed, and what the post-incident remediation looked like, has not been described in detail.
The specific lateral movement techniques used during the nine-day window are not in the public record.
Whether privileged access monitoring tools were in place and either failed or were not configured to alert on the relevant activity is unknown from public disclosures.
What this means for your program
Five questions to take to your IAM team this week.
Do we have a current and complete inventory of every external-facing access point in our environment, including VPN concentrators, Citrix gateways, RDP gateways, vendor-managed appliances, and infrastructure inherited through acquisitions or partnerships?
Is MFA enforced on every entry point in that inventory, with no exceptions? If exceptions exist, who approved them, when was the last review, and what is the remediation plan?
When was the last time we mapped our actual MFA coverage against our stated MFA enforcement policy?
For systems acquired through mergers or partnerships, what is our integration timeline for bringing them under enterprise authentication standards? Is that timeline documented, tracked, and reported to leadership?
If a credential were stolen and used at one of our remote access portals today, how long would it take us to detect lateral movement? What specific detections do we have for the window between initial access and ransomware deployment?
Sources
See the sources block in this teardown's frontmatter for the canonical reference list. Primary sources for the analysis above: UnitedHealth Group CEO Andrew Witty's prepared Senate Finance Committee testimony of May 1, 2024; UnitedHealth Group's public incident updates; named journalism in BleepingComputer; and the Senate Finance Committee hearing record.