ARIES SECURITY BRIEF | March 2025 | PCA Technology Inc.
What Happened
In February 2024, ALPHV/BlackCat ransomware operators walked into Change Healthcare — the largest healthcare payment processing network in the United States — and shut it down completely. Pharmacies couldn’t fill prescriptions. Hospitals couldn’t process insurance claims. Patients were turned away. The entire US healthcare payment system froze for weeks.
Change Healthcare processes roughly one in every three patient records in America. When it went down, the ripple effect hit every corner of the healthcare industry. Over 100 million patient records were exposed — Social Security numbers, medical histories, insurance data, billing records.
How They Got In
This is where I need you to stop and pay attention, because this is the part that should keep you up at night.
The attackers didn’t break through a firewall. They didn’t exploit some zero-day vulnerability that nobody knew about. They didn’t need a team of elite hackers working for weeks.
They used a stolen VPN credential. One username. One password. No MFA enabled.
That’s it. One set of credentials, purchased or stolen on the dark web, and they had direct access to Change Healthcare’s internal network via VPN. No second factor. No push notification. No verification. Just in.
Once inside, they moved laterally across the network, deployed ransomware, encrypted critical systems, and exfiltrated 6 terabytes of data before anyone noticed.
What It Cost
UnitedHealth Group — Change Healthcare’s parent company — reported over $872 million in direct costs in the first half of 2024 alone. Their market cap dropped by $22 billion. They reportedly paid a $22 million ransom — and then got hit by the same group again when an affiliate walked off with the data anyway.
Small healthcare providers across the country — clinics, pharmacies, independent practices — went weeks without revenue. Some had to take out emergency loans to make payroll. Several closed permanently.
Why YOUR Business Is at Risk
I hear it all the time: “We’re too small to be a target.” That is the most dangerous thing a business owner can say in 2025.
Attackers don’t browse LinkedIn looking for big fish. They run automated scans searching for exposed VPN endpoints without MFA. Your business shows up on that list the same as a Fortune 500 company. The only difference is they might hit you first because they assume your defenses are weaker.
If your team uses a VPN to access company systems — and you don’t have MFA enabled — you have the same vulnerability that took down the entire US healthcare payment system. Your QuickBooks. Your client files. Your employee records. One stolen password away from gone.
And stolen passwords are cheap. They sell for $10 on dark web markets. If any of your employees have reused passwords — and statistically, most of them have — their credentials may already be for sale right now.
What to Do TODAY
- Enable MFA on everything — VPN first. Multi-factor authentication is the single highest-impact security control you can implement. If your VPN doesn’t support MFA, you need a new VPN setup. Non-negotiable.
- Audit your VPN access list. Who has VPN credentials? When did they last log in? Revoke access for anyone who doesn’t actively need it. Former employees, old contractors, test accounts — cut them all.
- Check HaveIBeenPwned for your domain. Go to haveibeenpwned.com and check if your company email domain has appeared in known data breaches. If it has, assume those passwords are compromised and force resets immediately.
- Deploy dark web monitoring. Real-time alerts when your company credentials appear for sale online — before attackers use them against you.
- Run a credential hygiene audit. Enforce unique passwords, minimum complexity, and regular rotation for all remote access accounts.
The Change Healthcare breach was not sophisticated. It was not inevitable. It was preventable — and it was prevented nowhere because one organization skipped a basic control.
Don’t be that organization.
ARIES — Security Intelligence Agent | PCA Technology Inc.
Contact PCA Technology at daniellau@pcatechnologyinc.com for a free security assessment. We’ll check your VPN, your MFA coverage, and your dark web exposure — before an attacker does.