Change Healthcare Had the Elite Cert. 192 Million Records Walked.

# Change Healthcare Had the Elite Cert. 192 Million Records Walked.

The defensive-security industry runs on a quiet fiction. The fiction is that breach outcomes correlate with how much a customer spends — that the next certification tier, the next product SKU, the next assurance program would have changed the result. Vendors invoke this fiction in postmortems, in their marketing, and in lobbying letters to Congress when their reputations need defending. Change Healthcare is the case that breaks the fiction. Because Change Healthcare was on the highest tier available, paid the highest price possible, held the elite certification of the most rigorous framework in healthcare, and 192.7 million Americans had their data stolen anyway.

Let us take the public record one piece at a time and see what tier was actually deployed before BlackCat walked into the Citrix portal on February 12, 2024.

What Change Healthcare Already Had

Change Healthcare's public security marketing, before the breach, said: "HITRUST Risk-based, 2-year (r2) Certified status demonstrates that the organization's major implemented systems and platforms have met key regulations and industry-defined requirements and is appropriately managing risk. This achievement places Change Healthcare in an elite group of organizations worldwide that have earned this certification." That is the company's own statement, archived in Hyperproof's public timeline of the breach.

HITRUST r2 is the most rigorous tier of the HITRUST framework. It is the tier most often cited as the gold-standard demonstration of HIPAA compliance. It is the tier HITRUST itself markets as exclusive — earned by an "elite group of organizations worldwide." It costs hundreds of thousands of dollars and takes 12 to 18 months of audit and remediation work to achieve. HITRUST's own 2024 Trust Report claims that the HITRUST Assurance Program produces a 0.64% breach rate across certified organizations. Sixty-four hundredths of a percent. That is the marketing number.

Change Healthcare was inside that 0.64%. Their certification did not save them.

The parent company, UnitedHealth Group, runs an enterprise security organization that consumes roughly three hundred million dollars per year. UHG has a published security policy that required multi-factor authentication on every external-facing system. The breach happened anyway, through a Citrix portal used for remote desktop access where MFA was not enabled. CEO Andrew Witty testified to that gap directly to the Senate Finance Committee on May 1, 2024. The company had the policy. The policy named MFA. The Citrix portal sat outside the policy's effective enforcement, and the attackers walked through.

This is the part the industry's pricing-tier mythology cannot explain. Change Healthcare did not skip a tier. They were on the top tier of every assurance program offered. The top tier did not catch this.

What Actually Happened

Stolen credentials, almost certainly from infostealer logs traded on criminal marketplaces, gave the attackers initial access to a Change Healthcare Citrix portal on February 12, 2024. The portal had no second factor. Once inside, the attackers moved laterally through the network for nine days, escalating privileges and staging exfiltration tooling, before deploying ransomware on February 21. By the time Change Healthcare's incident response team detected the activity, six terabytes of data had been exfiltrated and the company's clinical-claims processing infrastructure was encrypted. Pharmacies could not verify insurance. Hospitals could not submit claims. Roughly one in three U.S. patient records flowed through Change Healthcare's transaction systems, and the entire pipeline went dark.

ALPHV/BlackCat claimed responsibility on February 26. Change Healthcare confirmed the attribution on February 29. On March 3, an unconfirmed Bitcoin payment of approximately twenty-two million dollars moved to a wallet associated with BlackCat. Witty later testified that the decision to pay was his.

That is when the second story started.

BlackCat exit-scammed its own affiliate. The affiliate who actually ran the Change Healthcare intrusion — known publicly as "notchy" — went to BlackCat's leak site and accused the operators of stealing the affiliate's cut of the ransom. BlackCat shut down its infrastructure shortly after, taking the twenty-two million with it. Notchy, holding the only surviving copy of the stolen Change Healthcare data, sold it to a successor ransomware brand called RansomHub. On April 16, 2024, RansomHub published proof-of-life screenshots of Change Healthcare patient files and demanded payment to prevent broader release. UnitedHealth Group had paid the original ransom and the data leaked anyway, because the criminal organization they paid scammed the criminal who actually held the data.

This is the part of the story that the elite-tier certification literature does not include in its marketing. There is no certification that prevents a ransomware operator from defrauding their own affiliate after you pay them. There is no security control that recovers data once the operational counterparty is itself the fraud victim of a different operational counterparty.

The Costs

UnitedHealth Group's third-quarter 2024 earnings report disclosed total response costs of $2.457 billion. The company also disbursed more than nine billion dollars in advance payments to providers crippled by the outage. The Office for Civil Rights investigation continues. More than fifty class-action lawsuits have been consolidated into multidistrict litigation in Minnesota. The U.S. Department of Health and Human Services received notification on July 31, 2025 that 192.7 million individuals were affected — a number that exceeds the total population of any single American state and represents more than half of the country.

The American Medical Association surveyed its member practices during the outage. Thirty-six percent had claims payments suspended. Eighty percent reported lost revenue from unpaid claims. Fifty-five percent of practices reported using personal funds to cover expenses. The collateral damage extended to small rural physician practices that had no relationship with Change Healthcare beyond the fact that their clearinghouse routed through Change Healthcare's systems. The blast radius was the U.S. healthcare delivery system itself.

This is what an elite-tier certification did not prevent.

The Lobbying Letter

On June 11, 2024, HITRUST sent a letter to United States Congress and federal regulatory members. The letter expressed support for efforts to address the breach. It also lobbied — Hyperproof's article quotes the language directly — for Congress to "view the problem as a matter of risk management with a focus on selecting and using relevant controls that are threat-adaptive, and ensuring that compliance outcomes, where needed, are earned through robust and reliable assurance programs."

Read that sentence carefully. The most rigorous certification framework in healthcare, immediately after the largest healthcare breach in United States history at one of its certified-elite organizations, told Congress that the path forward is more rigorous assurance programs. Translation: do not blame the framework. The certified organization needed more assurance. The customers reading these words right now need more assurance. The certification market needs to grow.

This is the structural defense the security-vendor industry runs on default. When the customer was on the lower tier, the vendor postmortem says the customer should have been on the higher tier. When the customer was on the highest tier, the vendor postmortem says the framework needs additional layers of assurance the customer also did not buy. The customer is always one tier short of safe. The "tier above the highest tier" is always the next one being marketed.

The Pattern Beyond Change Healthcare

This is not unique to HITRUST or to UHG.

Snowflake, after the UNC5537 credential-stuffing wave hit roughly one hundred sixty-five customer tenants in mid-2024, publicly stated that "the vast majority of these instances did not have MFA enabled." The blame was directed at customer configuration, not Snowflake's product design. AT&T, Ticketmaster, Santander, LendingTree, and Pure Storage were named victims. The Mandiant report on the campaign documented that the attackers used credentials harvested years prior from infostealer logs. Snowflake's architectural decision to leave MFA off by default was the load-bearing failure. The marketing pivot was that customers should have configured the option. This is the same shape as HITRUST's June 11 letter.

Microsoft Storm-0558, the Chinese state-actor operation that stole a Microsoft consumer signing key in mid-2023 to forge authentication tokens against Outlook on the web for U.S. government targets, produced a similar pattern. Microsoft's initial position was that customers needed E5 licenses with Purview Audit Premium to detect the malicious access. The required telemetry was an upcharge. CISA publicly criticized Microsoft for paywalling breach-detection logging. Microsoft eventually made the telemetry free in response. The reversal is the receipt: the pre-breach posture had been the breach was not detectable on the tier you bought; you should have been on E5. Even Microsoft eventually agreed that posture was wrong.

Three cases. Three frameworks at three pricing layers. One structural pattern: the customer is always one tier behind safety.

What Identity-Side Failures Tell Us

The Change Healthcare attack did not exploit a software vulnerability. It exploited a missing MFA configuration on a remote-access portal. The Snowflake breaches did not exploit a software vulnerability. They exploited credentials harvested years before, against tenants with no MFA enforcement. The Storm-0558 operation did exploit a software vulnerability — a deep one, in Microsoft's signing-key handling — but the customer-side detection gap was the upcharge model.

These are identity-side failures. They are the dominant attack class against modern enterprises in 2024 through 2026, and they share a characteristic that destroys the pricing-tier defense: no endpoint-detection product, no extended-detection product, no managed-detection-and-response service, no compliance certification at any tier catches an attacker logging in with valid credentials to a system that does not require a second factor. The detection surface is the identity provider's policy enforcement, not the EDR. If the identity provider's policy was misconfigured, the most expensive EDR in the world is watching for the wrong threat class.

This is why Change Healthcare's HITRUST r2 certification did not save them. HITRUST r2 is a control framework for risk management; it is not an identity-policy compiler that prevents a single Citrix portal from being deployed without MFA. The customer can pay for the elite certification, hold the elite certification, and still have one Citrix portal that fell through the post-acquisition integration cracks. The framework cannot reach into every server and verify every config. The premium tier of EDR cannot detect a valid login. The certification framework's only response, when an elite-tier organization gets breached on a control-frame failure that the framework's controls do not actually compile down to enforcement, is to send a letter to Congress recommending more assurance.

What We Do Differently

Our threat-intelligence feed costs nine dollars per month at the entry tier. Forty-five at the working tier. The data is the data — the same indicators of compromise, the same lead times, the same Lynx C2 endpoint indexed forty-three days before ACN Healthcare disclosed, the same Handala IOCs indexed twenty-eight days before Dubai's three ministries got wiped. We do not have a higher tier where the IOCs are different.

If a customer of ours gets breached and asks us why our feed did not warn them in time, the question is auditable. The breach date and our first-indexed date are timestamps in a public ledger. We publish the ledger, including the cases where we were behind CISA. The honest version of the answer is: here is what we had, here is when we had it, here is whether you could have used it. Not: you should have been on a tier we did not actually offer.

This is the frame the public-record receipts on Change Healthcare make legible. Every postmortem from a vendor that monetizes assurance frameworks by tier ends in the customer should have spent more. Every single one. The Senate Finance hearing transcript, the UnitedHealth Group SEC filings, the HITRUST Congressional letter, and the AMA member survey are all public. The pattern is in the documents. We are not making it up.

The Receipts

192.7 million Americans had their data stolen. UHG paid 22 million dollars in ransom and the data leaked anyway because BlackCat scammed their own affiliate. Change Healthcare's response cost reached 2.457 billion dollars in the first three quarters after the breach. They held HITRUST r2 — the elite certification — when it happened. HITRUST's response was to lobby Congress for more assurance.

This is the case the industry cannot wave away with a tier-up.

The customer did not fail to spend enough. The customer spent more than almost anyone in healthcare. The framework's marketing model assumes that more spending equals more safety, and the largest breach in U.S. healthcare history is the receipt that the model is structurally fictional at the very tier where the model was supposed to be most credible.

We publish the ledger. The vendor industry should publish theirs.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.