Change Healthcare was breached when BlackCat/ALPHV operators used a single set of previously exposed credentials to enter through a Citrix remote-access portal. With that foothold the attackers spent nine days moving laterally, locating high-value claims data, exfiltrating large volumes, and deploying ransomware. The result was weeks of halted medical-claim processing for roughly one-third of U.S. healthcare providers.

Verizon’s 2025 DBIR records that 54 percent of ransomware victims had their domains listed in credential dumps before the attack. Change Healthcare followed the same pattern: the decisive factor was an authentication surface that accepted the leaked password at face value and imposed no further cryptographic requirement.

Credential Exposure as the Sole Entry Point

Many remote-access systems continue to treat the first factor as sufficient or to layer only phishable second factors such as SMS codes, TOTP applications, or push notifications. In this incident the portal enforced none of these controls, so the single compromised credential granted immediate network presence. The same credential-first design has enabled multiple prior incidents in which low-privilege accounts whose passwords had already appeared in dumps became the initial foothold.

Limits of Partial Public-Key Deployments

Replacing passwords with FIDO2 or WebAuthn public-key challenges strengthens the login step itself. However, registration, device enrollment, policy changes, and account recovery frequently remain dependent on email links, SMS tokens, or help-desk resets. These channels stay susceptible to interception or social engineering. A prevention-oriented model removes every phishable element across the entire identity lifecycle: registration and device binding occur once using public-key cryptography that never transmits a secret, and subsequent authorization decisions reuse the same device-bound key.

Device-Bound Keys Eliminate Reusable Secrets

When authentication depends on a hardware-protected private key that never leaves the endpoint, possession of a username and password alone is insufficient to satisfy the challenge. The Citrix portal would have rejected the login attempt because the required cryptographic proof could not be generated from any other machine. The nine-day dwell time and subsequent ransomware deployment would therefore have been prevented at the first remote-access attempt. No central credential database exists that an attacker can query or dump, because the private key resides only on the enrolled device.

Employee off-boarding is handled by revoking the public key at the identity provider; the corresponding private key on the device simply becomes unusable. No shared secret must be rotated across systems. This approach aligns with MFA 2.0: phish-proof, passwordless authentication built on public-key cryptography, using device-bound credentials with no central credential store, and operating as same-device authentication without reliance on a second device. The architecture focuses on prevention rather than later detection of misuse.

Implementations such as AuthN by IDEE generate and attest the key pair directly on the endpoint, ensuring that an exposed password remains irrelevant to any subsequent authentication decision.