Change Healthcare 14 Months Later: What the BlackCat Forensics Actually Revealed

It took fourteen months for UnitedHealth's outside counsel, Mandiant, and the cooperating federal investigators to release a forensics package detailed enough to teach from. The timeline only became public after the related litigation discovery cycle closed. Now that the chain of events is on the record, the lesson is not subtle: a single-factor Citrix gateway, in a Fortune 5 healthcare backbone, in 2024, was the front door. Everything that followed was someone walking through it at a leisurely pace.

Below is the kill chain as the forensics describe it, the architectural assumptions that made each step possible, and the seven things every healthcare CISO should re-check this week. None of them are exotic. All of them are still wrong somewhere on your network.

What happened

The five-step chain, normalized from the published timeline:

1. Day -30 to Day 0: credential acquisition. A Citrix portal credential belonging to a Change Healthcare contractor surfaced on a Russian-language forum, originally harvested by Lumma Stealer infostealer malware on a personally-owned laptop. The cred sold for $200. The buyer was a BlackCat (ALPHV) affiliate.
2. Day 0: gateway entry, no MFA. The affiliate authenticated to the externally-exposed Citrix Gateway. The gateway required only username and password. There was no second factor enforced on remote access for that user population. The session was indistinguishable from a legitimate contractor login.
3. Day 0 to Day 9: lateral movement and staging. Over nine days the affiliate enumerated Active Directory, harvested service-account credentials, escalated to a domain administrator, located the claims-processing infrastructure, and exfiltrated approximately 6 TB of protected health information through a combination of cloud-storage uploads and DNS-tunneled out-of-band channels.
4. Day 9: ransomware deployment. The affiliate detonated BlackCat ransomware across roughly 8,500 hosts. The claims-processing platform — used by an estimated one in three U.S. medical claims — went dark.
5. Day 9 to Day 60: extortion, payment, double-cross. UnitedHealth paid approximately $22M in Bitcoin to BlackCat. The BlackCat operators then ran an exit-scam against their own affiliate, refusing to pay the affiliate's cut. The affiliate took the exfiltrated data to a different ransomware operation (RansomHub) and started a second extortion cycle against UnitedHealth using the same data. Patient records were leaked publicly during the second cycle.

The financial cost, as disclosed in UnitedHealth's Q1 2024 earnings filing and subsequent 8-K amendments: a direct $872M quarter-on-quarter hit, with later filings increasing the total response cost past $2.4B. That figure does not include the secondary cost to the 6,200 hospitals, pharmacies, and provider groups that ran on Change Healthcare's claims rails and could not bill, get reimbursed, or in some cases dispense prescriptions for weeks.

Why it kept working for nine days

The forensic narrative is most uncomfortable in the middle of the chain — the gap between initial access and ransomware detonation. Nine days is not a fast burn; it is a methodical reconnaissance and exfiltration. Every defensive control that should have noticed something either was not deployed, was deployed and not tuned, or fired alerts that nobody read.

Three architectural assumptions made the slow burn possible:

One. The Citrix gateway was treated as a "trusted edge." Once a session authenticated, the user was treated as a benign contractor for the rest of the session. There was no continuous device-posture validation, no per-resource re-authentication, and no anomaly scoring on the lateral access patterns the session generated. A contractor enumerating the entire Active Directory tree in one session is not normal contractor behavior; nobody flagged it.

Two. Service-account credentials were broadly cached on workstations and member servers across the segment. Once the affiliate had an interactive session inside the gateway-trusted zone, a routine Mimikatz-equivalent dump produced multiple service accounts with elevated rights. Several of those service accounts had domain-administrator effective permissions through nested group membership that nobody had audited.

Three. Egress monitoring was tuned to block known-bad destinations rather than detect anomalous volumetric uploads. 6 TB of outbound data over nine days, split across cloud-storage providers and DNS tunneling, did not trip the threshold. The DLP product was deployed; the policies were tuned for compliance reporting, not detection.

This is the recurring shape of every major healthcare ransomware case CelvexGroup has reviewed in the past 24 months. The initial access is rarely exotic. The dwell time is always longer than the org thought possible. The exfil channel is always something the controls were technically watching but practically ignoring.

The MFA-on-gateway pattern, again

Stolen-credential plus single-factor remote-access portal is the most-repeated pattern in the entire post-2022 ransomware corpus. CISA's joint advisory on BlackCat affiliate TTPs lists it as the primary initial access vector in 71% of confirmed BlackCat intrusions in 2023. The Verizon DBIR 2025 puts stolen credentials at the entry point of 49% of all breaches across all verticals. Healthcare specifically reports 58%.

If you are running any of the following without enforced phishing-resistant MFA — not SMS, not push notifications without number matching, but FIDO2 hardware keys or equivalent — you are reading this article about your own future incident report:

• Citrix Gateway / NetScaler external auth
• Ivanti Connect Secure (formerly Pulse Secure)
• Cisco AnyConnect / Secure Client
• Fortinet FortiGate SSL VPN
• Palo Alto GlobalProtect
• Microsoft RDP Gateway / Remote Desktop Web
• Any custom-built portal that re-uses Active Directory credentials

Phishing-resistant MFA on the gateway is not the only control that matters, but it is the only control that turns the "stolen cred for $200" attack into a non-starter. Push-based MFA without number matching is bypassable through fatigue attacks. SMS is bypassable through SIM swap. The 2024 NIST SP 800-63B-4 draft now formally recommends against both for high-assurance contexts. Hardware keys are not optional for production gateway access in healthcare in 2026.

What to check today

Seven concrete checks to run this week. Each maps to a step in the Change Healthcare chain. None require a procurement cycle to begin.

1. Enumerate every externally-reachable auth surface. Run a perimeter scan from the public internet against your own external IP ranges. Any service responding with an authentication prompt (Citrix, RDWeb, OWA, Exchange admin, VPN portals, custom SSO endpoints) is in scope. Compare the list to your CMDB. Any orphaned or "we forgot that was up" portal goes offline today, not next sprint.
2. Confirm phishing-resistant MFA on each. Not "MFA exists in policy." Not "most users have it." Test it yourself. Authenticate with a known-good credential and confirm the second factor is FIDO2/WebAuthn or an authenticator app with number matching. SMS-fallback paths must be removed, not merely deprioritized.
3. Check for service accounts with interactive logon rights. In Active Directory, query for accounts where PasswordNeverExpires=True and UserAccountControl permits interactive sessions. Each one is a candidate for the exact lateral-movement pattern that BlackCat used. Either restrict to specific hosts via Logon Workstations, or migrate to a Group Managed Service Account.
4. Audit nested group membership for domain-admin effective rights. Use PowerView's Get-DomainGroupMember -Identity "Domain Admins" -Recurse or BloodHound's path-finder. Anyone whose effective rights include domain admin through three or four levels of nested groups did not get explicitly approved for that privilege. Flatten the path or remove the rights.
5. Set egress baselines, not destination blocklists. Establish a per-segment normal upload volume for a 24-hour window. Alert at 3x baseline regardless of destination reputation. The $200 cred plus 6 TB exfil chain only worked because nobody had a volumetric baseline.
6. Validate DNS-tunneling detection. Send a known DNS-tunneling test pattern (the open-source iodine client works) from a segmented test host. If your DNS-monitoring solution does not flag the traffic, your detection coverage has a gap that BlackCat-class affiliates already know about.
7. Review your contractor and vendor remote-access path specifically. The Change Healthcare entry was a contractor cred. Contractor and vendor accounts often live in separate OUs with weaker policy. Apply identical phishing-resistant MFA, identical session length, and identical post-auth posture checks. No exceptions for "the vendor's tool doesn't support hardware keys" — the answer is a different vendor or a hardened jump-host pattern.

Third-party trust assumption

Change Healthcare did not directly serve a single one of the 6,200 affected hospitals as a primary EHR vendor. It served them as a back-end claims clearinghouse, often invisible in their threat model. The hospitals' incident response plans did not include "what do we do when the entity that processes one in three U.S. medical claims goes dark for six weeks." That gap is itself the lesson.

If you are a healthcare CISO and you cannot list, today, the top ten third-party services whose sustained outage would prevent you from billing, dispensing, or treating, you have homework. The exercise is not theoretical risk-modeling; it is identifying the second-order Change Healthcare in your own portfolio. Then ask, of each one, what they have done about phishing-resistant MFA on their own externally-reachable auth surfaces. The answer should be a written assertion in your vendor security documentation, not a hopeful inference.

How CELVEX Group tests for this

We added a dedicated incident-lessons supplement to our test catalog within 72 hours of the BlackCat forensics package becoming public. The detection logic lives in core/test_catalog/_supplement_incident_lessons_2026-03.py, and the specific test for the Change Healthcare chain pattern is INCIDENT-CITRIX-NOMFA-001.

What the test does, end to end:

• Enumerates externally-reachable auth surfaces by fingerprinting Citrix NetScaler, Ivanti, FortiGate, GlobalProtect, AnyConnect, RDWeb, and Microsoft RDS-class endpoints from a non-attributable observation point.
• Issues a probe authentication flow against each identified surface, parses the auth challenge, and determines whether the second factor is phishing-resistant (FIDO2/WebAuthn), push-with-number-matching, push-without-number-matching, SMS, or absent.
• Cross-references against a curated dataset of credentials offered for sale on monitored stealer-log markets keyed to the customer's primary domain — without exfiltrating the credentials themselves; the test only validates whether matching identifiers exist on the criminal forums.
• Produces a finding with severity scaled to the combination of (a) auth surface exposed, (b) MFA strength absent or weak, and (c) whether the customer's domain is currently appearing in fresh stealer-log dumps.

Customers running Celvex Sentry receive the test as part of their weekly continuous-attack-simulation cycle. The control that fails most often is not "MFA absent entirely" — that is rare in 2026 — but "SMS or push-without-number-matching is the only fallback path." That is the same control posture that let BlackCat's affiliate walk in.

Bottom line

The Change Healthcare incident was not exotic. It was the most-repeated initial-access pattern in modern ransomware, executed against a target large enough that the resulting outage stopped pharmacies from filling prescriptions in all 50 states. The forensic record is now public enough to be teachable. The seven checks above are what every healthcare org owes itself this week. Phishing-resistant MFA on every gateway is not a roadmap item; it is a control that the published case file says was the difference between a ransomware payday and a logged failed login.

Fourteen months of forensic work to confirm what every defender already suspected: the front door was unlocked. The cost was $2.4B and counting. Your front door is reachable from the same internet.