Imagine losing $22 million (plus billions in damages and an infinite amount of trust) because you forgot to simply enable MFA in your security settings.

Sounds ridiculous, right?

Well, that’s exactly what happened to Change Healthcare (a subsidiary of UnitedHealth Group), where one weak password and no multi-factor authentication (MFA) led to the largest healthcare data breach in US history — affecting a jaw-dropping 190 million Americans.

The worst part? It was entirely preventable.

Let’s unfold the attack

The hackers weren’t even trying that hard. The ransomware gang ALPHV/BlackCat didn’t need sophisticated malware or elite hacking skills. All it took was one stolen account with username & password, which had no MFA set up and belonged to a low-level customer support employee, to break into Change Healthcare’s systems.

Once inside, the hackers roamed freely because of poor network segmentation, exfiltrating highly sensitive medical data, financial records, and personal information of millions of Americans.

Then came the “Oops, we’ve been hacked” moment. On February 21, 2024, Change Healthcare noticed something was off — billing systems shut down, doctors’ offices couldn’t process insurance claims, and pharmacies couldn’t fill prescriptions.

By the time they realized that hackers were inside, it was too late. Change Healthcare pulled the plug on their own network, hoping to contain the damage. Instead, they paralyzed the healthcare system, causing nationwide delays and forcing millions of patients to pay for prescriptions out of pocket.

But UnitedHealth Group was a multi-billion dollar company, right? Can’t they just pay the ransom and resume their operations?

Well, everyone thought the same, and on March 3rd, United Health paid the hackers a ransom of $22 million in $BTC, and by March 13th, they received a “safe” copy of the stolen data and began identifying victims.

In between, something unexpected happened! The ALPHV/BlackCat gang disappeared. Their dark web site was suddenly replaced with a fake law enforcement seizure notice, and their affiliate was left empty-handed.

In simple words: The main ransomware gang took the ransom money and ran, while the hacker who actually stole the data was left fuming.

Feeling cheated out of their payday, the original hacker formed a new ransomware group called “RansomHub”, and since they still had the stolen data, they demanded a second ransom, and to prove that they still held the data, they leaked some of it online.

Finally, on May 1, 2024, UnitedHealth’s CEO, Andrew Witty, was called to testify before Congress. And that’s when he admitted the brutal truth:

• The entire breach happened because a single employee account had no MFA.
• Once inside, hackers moved freely due to poor internal security.
• The breach was “entirely preventable” — his words, not ours.

Fast forward to January 24, 2025, Change Healthcare announced the final number and said that the health data of 190 million Americans (which is over HALF the US population) was stolen.The takeaway? A billion-dollar healthcare company suffered because of a missing MFA setting.The Billion-Dollar Question: Would MFA Have Stopped This?Short answer: YES.

‍Here’s why MFA is non-negotiable in cybersecurity:

• Even if hackers steal a password, they still need a second authentication factor to gain access.
• MFA significantly reduces the risk of credential-based attacks (which caused this breach).
• It takes minutes to enable, but can prevent multi-billion-dollar losses.

Had Change Healthcare enabled MFA, this entire attack would have been stopped at the login screen. Instead, they paid the price in ransom, reputational damage, and regulatory scrutiny.No matter how big or small a company is, if it’s handling sensitive data, then:

• MFA is NOT optional.
• Network segmentation is a MUST.
• Paying ransoms doesn’t guarantee security — it just invites more attacks.

The cost of security is always cheaper than the cost of a breach.The real question is: Is your business making the same mistake? More importantly, do you even know if you’re at risk?Don’t know the answers to the above questions? Don’t worry, we got you covered. Take a FREE cybersecurity assessment through our in-house tool: PulseCheck, and evaluate you and your organization’s security by answering just a few questions.

‍

‍Try it out now!

‍