In February 2024, UnitedHealth’s Change Healthcare subsidiary was hit by one of the most disruptive cyberattacks in the history of U.S. healthcare. What began with a single stolen credential spiraled into a national outage of claims processing. Pharmacies couldn’t fill prescriptions, hospitals couldn’t bill, and providers were forced to operate without reimbursement flows. Patients were left waiting.

UnitedHealth has since estimated the incident will cost more than $3 billion in response and recovery, not including the reputational damage and regulatory scrutiny still unfolding. At its peak, the breach impacted roughly 190 million Americans. (WSJ)

The breach is a stark reminder that when authentication fails, entire business systems fail with it.

UnitedHealthcare Data Breach: What Went Wrong

• Entry point: Hackers accessed a Change Healthcare server that lacked multi-factor authentication (MFA).

• Execution: Ransomware was deployed, encrypting core systems.

• Data exposure: Hackers claimed to have stolen 8 TB of sensitive data, though the extent remains disputed. (Reuters)

• Operational impact: Claims processing collapsed, halting payment flows across providers and pharmacies. UnitedHealth had to issue $8.5 billion in emergency funds to stabilize the system. (Forbes)

This wasn’t just data loss. It was a breakdown in business logic. The clearinghouse model — centralizing sensitive data flows — became the single point of systemic failure.

The 23andMe Parallel

Only months earlier, 23andMe suffered its own high-profile breach. While different in execution, the root cause was familiar: weak authentication.

• MFA was optional; fewer than 25% of users had enabled it.

• Attackers ran credential stuffing against accounts with reused passwords.

• Once inside, they exploited a business feature — the DNA Relatives tool — to scrape profiles at scale.

• The result: 5.5 million users’ genetic data exposed through relational mapping, along with 1.4 million family tree entries. (Wired)

  
  

Just as UnitedHealth’s claims system failed due to missing MFA, 23andMe’s relational feature became the channel for mass data theft once authentication broke down.

What Both Breaches Reveal

These two very different breaches converge on the same lesson: authentication is not a checkbox — it’s the cornerstone of resilience.

1. Weak MFA = Systemic Risk

• At UnitedHealth, a missing MFA control enabled ransomware that shut down national healthcare flows.

• At 23andMe, making MFA optional left genomic datasets open to automated exploitation.

• In both cases, the cost of weak authentication extended far beyond IT— it disrupted patient care, finances, and trust.

2. Business Logic Matters as Much as Infrastructure

• In healthcare and biotech, data flows are the business: claims, prescriptions, genomic matches, trial recruitment.

• Attackers don’t just breach servers — they abuse the intended features of those flows.

• Security teams must threat model business logic, not just networks.

3. Compliance Is Already Clear on This

• HIPAA, ISO 27001, and the FDA’s SPDF guidance all demand strong access controls.

• In our ISO 27001 checklist for biotech and healthtech, MFA is a baseline requirement.

• These aren’t abstract frameworks — they map directly to the failures we saw in both breaches.

4. Resilience Requires Design, Not Just Defense

• UnitedHealth had to rebuild Change Healthcare systems from scratch, showing how brittle centralized architectures can be.

• Healthcare and biotech systems must plan for graceful degradation — segmentation, tested backups, and redundancies that keep critical operations alive even during compromise.

  
  

The Broader Implications

• For Providers: Payment and claims systems are lifelines. A single outage can cascade into insolvency risks.

• For Biotech and Healthtech Startups: Data breaches don’t just mean fines — they threaten funding, partnerships, and regulatory approval.

• For Regulators: The trend is clear. Authentication failures are no longer seen as “mistakes” — they’re compliance violations with legal and financial consequences.

Closing Thought

UnitedHealth’s ransomware crisis and 23andMe’s data leak tell the same story from different angles: when authentication fails, everything built on top of it is at risk.

For healthtech and biotech companies handling genomic, biomarker, or patient data, the takeaways are blunt but necessary:

• Enforce MFA everywhere — no exceptions.

• Threat model data flows and features as carefully as infrastructure.

• Treat compliance frameworks as operational safeguards, not paperwork.

• Build systems to fail gracefully, because attacks are inevitable.

  
  

Because in healthcare, cybersecurity failures don’t just mean downtime — they mean disrupted care, lost trust, and systemic paralysis.

Next Steps

If your company handles sensitive health, genomic, or patient data, the lesson from UnitedHealth and 23andMe is clear: authentication and threat modeling must be built into the foundation of your systems, not bolted on later.

At Sekurno, we work with healthtech and biotech teams to validate security controls, align with compliance frameworks, and test for the real-world attack paths that threaten business logic and data flows.

Download our Biotech Cybersecurity Report for deeper insights, or reach out to explore how we can help you build resilience before the next breach hits.

References

• Change Healthcare cyberattack was due to a lack of multifactor authentication, UnitedHealth CEO says — AP News

• UnitedHealth estimates Change Healthcare hack impacted about 190 million people — WSJ

• UnitedHealth hackers say they stole millions of records, then delete statement — Reuters

• One Year Later: Cybersecurity Lessons From the Change Healthcare Breach — Forbes

• The 23andMe Breach: Anatomy, Impact, and Lessons for Genomic Security — Sekurno

• ISO 27001 Compliance Checklist for Biotech & HealthTech — Sekurno

• The 23andMe Data Breach Keeps Spiraling — Wired