Insights

Change Healthcare: 55 Days Between Advisory and $872M Breach

On December 19, 2023, CISA published advisory AA23-353A warning about ALPHV BlackCat ransomware - including specific TTPs, indicators, and mitigation steps. 55 days later, Change Healthcare was breached using the exact techniques described in that advisory.

The result: $872M+ in damages, 190 million individuals affected, and nationwide pharmacy disruptions lasting weeks.

The intelligence existed

This isn't a case where the threat was unknown. CISA published a detailed advisory with actionable information. The gap wasn't intelligence - it was operationalization. The advisory was received, probably read, and never converted into enforced defense across Change Healthcare's security stack.

The pattern

Change Healthcare is the clearest example of a systemic failure: the security industry produces intelligence at scale, but lacks infrastructure to convert that intelligence into enforced prevention. The 55-day gap between advisory and breach is not an anomaly - it's the default when governed translation doesn't exist.

The question isn't "did they know?" It's "did the knowing become doing?" For Change Healthcare, the answer was no. For five other major organizations, the answer was the same.

Why 78% of Breached Organizations Get Breached Again

The statistic is from Cybereason's ransomware study: 84% paid ransom, 78% breached again, 36% by the same attacker. But the numbers only tell half the story.

It's not a tooling problem

The average enterprise deploys 76 security tools (Panaseer, 2022). T-Mobile pledged $150M in security improvements after their 2021 breach and was breached again within 15 months. MGM received a specific warning from Okta about social engineering campaigns and didn't act on it. These organizations don't lack tools, talent, or budget.

They lack a system that turns "we learned this" into "we enforced this."

The four failure modes

Across five public re-breach cases totaling $900M+ in damages, the same four patterns repeat:

Narrow remediation. Fix the specific exploit, not the class of vulnerability. Okta fixed third-party access after 2022 but ignored employee credential hygiene - same attack pattern, different vector, 18 months later.

Delayed patching. Rackspace chose mitigation over patching a critical Exchange vulnerability. The decision was documented but not governed - no expiry date, no risk owner, no mitigation validation.

No closed loop. T-Mobile pledged $150M and still missed an API running unchecked for 6 weeks. No system verified that post-incident action items were completed, validated, and enforced.

Learning decay. Lessons documented in postmortems, wikis, and tickets. Never operationalized into production defense. When people leave, the knowledge leaves with them.

The 48-Month CISO Cycle and What It Means for Security Knowledge

The average CISO/security leader tenure is 48 months. Every four years, the person who holds the most context about an organization's security posture, threat landscape, and institutional lessons walks out the door.

What leaves with them

When a senior security leader departs, they take with them: knowledge of past incidents and what was learned, relationships with threat intelligence sources, understanding of which controls are effective and which are theater, context on why specific architectural decisions were made, and institutional memory of previous attack patterns.

The incoming CISO starts from a partial picture. They inherit tools, dashboards, and documentation, but not the institutional knowledge that informed decisions. The organization's security effectiveness resets.

The compound cost

This isn't just a people problem. It's a systems problem. Organizations that depend on individuals for institutional knowledge are structurally vulnerable to the 48-month cycle. Each transition creates a window where past lessons are forgotten, previous decisions lack context, and the attack surface quietly expands.