Executive Summary
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a significant ransomware attack that disrupted billing systems and insurance claims processing across the U.S. healthcare sector. The attackers exploited a server lacking multifactor authentication, leading to the theft of sensitive medical records affecting approximately 190 million individuals. The breach resulted in widespread operational disruptions, including delays in prescription services and financial strain on healthcare providers. (techcrunch.com)
This incident underscores the critical importance of robust cybersecurity measures in the healthcare industry, especially as ransomware attacks targeting sensitive medical data continue to rise. Organizations must reassess their security protocols to prevent similar breaches and protect patient information.
Why This Matters Now
The Change Healthcare ransomware attack highlights the urgent need for healthcare organizations to implement comprehensive cybersecurity strategies, including multifactor authentication, to safeguard against evolving cyber threats targeting sensitive patient data.
Attack Path Analysis
The attacker gained initial access through phishing emails containing malicious attachments, leading to the execution of ransomware. They escalated privileges by exploiting unpatched vulnerabilities, allowing them to gain administrative access. Utilizing compromised credentials, the attacker moved laterally across the network to identify and access critical systems. They established command and control channels to maintain persistent access and coordinate the attack. Sensitive data was exfiltrated to external servers before encryption. Finally, the attacker encrypted critical data and systems, demanding a ransom for decryption.
Kill Chain Progression
Initial Compromise
Description
The attacker gained initial access through phishing emails containing malicious attachments, leading to the execution of ransomware.
MITRE ATT&CK® Techniques
Valid Accounts
Disable or Modify Tools
Data Encrypted for Impact
Web Protocols
Obfuscated Files or Information
PowerShell
File and Directory Discovery
Archive via Utility
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Continuous Monitoring and Diagnostics
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Ransomware attacks like Change Healthcare's $3 billion incident expose critical vulnerabilities in patient data systems, requiring enhanced zero trust segmentation and encrypted traffic controls.
Financial Services
Financial markets' stability-breeds-complacency pattern increases ransomware exposure risk, necessitating multicloud visibility controls and egress security to prevent data exfiltration and regulatory violations.
Information Technology/IT
IT sectors face heightened ransomware risks from EDR bypass techniques and infostealer logs, requiring threat detection capabilities and secure hybrid connectivity for client protection.
Government Administration
Government entities' compliance-focused security approaches may miss active ransomware campaigns, demanding enhanced threat intelligence and anomaly detection to prevent widespread service disruptions.
Sources
- The calm before the ransom: What you see is not all there ishttps://www.welivesecurity.com/en/ransomware/calm-ransom-what-you-see-is-not-all-there-is/Verified
- Jaguar Land Rover slides to loss of almost £500m after cyber-attackhttps://www.theguardian.com/business/2025/nov/14/jaguar-land-rover-loss-cyber-attackVerified
- How the ransomware attack at Change Healthcare went down: A timelinehttps://techcrunch.com/2024/08/17/how-the-ransomware-attack-at-change-healthcare-went-down-a-timeline/Verified
- Change Healthcare cyberattack exposes cybersecurity concernshttps://www.techtarget.com/healthtechsecurity/feature/Change-Healthcare-cyberattack-exposes-cybersecurity-concernsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's lateral movement and data exfiltration by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial access may still occur, CNSF would likely limit the attacker's ability to exploit internal network trust.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely reduce the attacker's ability to move laterally by segmenting internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely limit the attacker's ability to establish command and control channels by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely reduce the attacker's ability to exfiltrate data by enforcing strict outbound traffic policies.
While data encryption may still occur, the attacker's ability to impact critical systems would likely be limited due to constrained lateral movement and data exfiltration.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations
- Supply Chain Management
- Retail Sales
- Customer Service
Estimated downtime: 30 days
Estimated loss: $650,000,000
Potential exposure of sensitive corporate data, including financial records and employee information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical systems.
- • Deploy East-West Traffic Security to monitor and control internal network communications, detecting unauthorized movements.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and block communication with malicious external servers.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate vulnerabilities that could be exploited for privilege escalation.
