How One Reused Password Cost Change Healthcare $2.5 Billion (Healthcare Security, Part 1) Artwork

Ignition by RocketTools

Healthcare is getting optimized by AI. But optimized for whom? Ignition by RocketTools breaks down the systems, incentives, and technology reshaping how care gets approved, denied, and paid for — with data, not hype.

All Episodes

Ignition by RocketTools

How One Reused Password Cost Change Healthcare $2.5 Billion (Healthcare Security, Part 1)

June 02, 2026 • Dan McCoy, MD • Season 1 • Episode 25

0:00 | 9:02

In February 2024, hackers walked into the largest healthcare clearinghouse in America through a Citrix portal that didn't have multi-factor authentication. They used credentials stolen from a previous breach — someone, somewhere, had reused their password. Within hours they had ransomware running. Within days, pharmacies across the country couldn't fill prescriptions.

The ransom payment was $22 million in Bitcoin. The total cost to UnitedHealth Group is now over $2.457 billion. The number of Americans whose data was exposed is 192.7 million — roughly 58% of the country. And it all started with one reused password.

This is Part 1 of an 8-part Healthcare Security series. In this episode I walk through why your password habits are probably just as dangerous, why "47 logins" understates the reality for healthcare executives, and the four password managers I actually recommend — with the honest tradeoff on each, and no affiliate links. I also explain why a single patient record sells for $250 on the dark web while a credit card goes for $5, and why your AI tool account in 2026 holds more sensitive information than most of your work files.

In this episode:

The Change Healthcare breach timeline and what Andrew Witty admitted under oath to Congress
Why password patterns ("FirstName2024!" and friends) are now exactly what attackers test first
The 47-logins-on-average problem for healthcare execs and why the real number is higher
The four password managers I'd recommend: Dashlane, 1Password, Proton Pass, and Bitwarden — pricing, tradeoffs, who each is right for
A four-step action plan you can run this week, starting with one email to your IT team

📺 Watch on YouTube: https://youtu.be/N62kieISWiI

📝 Read the director's cut companion post on Substack (deeper on Witty's Senate testimony, the dark web pricing texture, and the AI tool risk section I had to cut for time): https://open.substack.com/pub/danmccoymd/p/the-872m-password-mistake-was-actually

Next week, Part 2: why CISA and the FBI told Americans to stop using SMS-based MFA, the authenticator app I switched to after leaving Microsoft Authenticator, and the small piece of hardware I added on top.

I'm Dan McCoy. Ignition by RocketTools is the podcast for healthcare executives, physicians, and AI builders trying to think clearly about where this is all going.

0:00

It was a Tuesday morning in February 2024 when hackers broke into Change Healthcare's network. Change Healthcare, the company that processes one out of every three patient prescriptions in America, the largest healthcare IT clearinghouse in the country, and part of a United Health Group, a Fortune 5 company. The vulnerability, a Citrix portal with no multi-factor authentication. The attack, credential stolen from a previous breach. Someone had reused their password. Within hours, attackers deployed ransomware. Within days, prescription processing stopped nationwide. People are still digging out. Pharmacies couldn't fill prescriptions, doctors couldn't verify insurance. The entire healthcare payment system ground to a halt. The ransom payment was $22 million in Bitcoin, but the total cost of United Healthcare was over $872 million. The number of Americans affected by this was $110 million, one-third of the entire country. And it started with just one reused password. Today I'm going to tell you why your password habits are probably just as dangerous and exactly what to do about it. Here's what I need you to understand. You probably do this too. Most healthcare executives do. It's not laziness, it's cognitive load. Think about how many different logins you have: Epic or Cerner for your EMR, three different payer portals like United Healthcare, Aetna, or Blue Cross, maybe CAQH for credentialing, your benefit broker system, Zoom for telemedicine, your hospital's VPN, email, Slack, DocuSign, you get it. If you're a healthcare executive, you're juggling 47 different logins on average. 47. No human can remember 47 unique random passwords. So what do we do? We create systems. We use patterns like health system 2024 exclamation point becomes health system 2025 exclamation point next year. First name, last name becomes first name, last name one, then first name, last name two. You know we've done this. Epic password becomes epic password exclamation point, then maybe epic 2024 exclamation point. We think we're being clever. We're following the rules, we're using capital letters, numbers, special characters, we change them when we're required and we get the email. But here's the problem. Hackers know these patterns too. They have databases of 15 billion compromised passwords from previous breaches. They feed these patterns to AI, which generates variations at 10,000 attempts per minute. The harder you try to remember your password, the more predictable it becomes. And healthcare workers are specifically targeted because patient data sells for $250 per record on the dark web. Credit card numbers, five bucks. Your important Social Security number, only a dollar. Medical records are worth 50 times more than financial data because they can't be changed. You can get a new credit card, you can't get a new medical history. Let's talk about what makes this even more dangerous in 2024. You're not just accessing EMRs anymore, you're using AI tools, Chad GPT for possibly clinical documentation, be careful, Claude for benefits analysis, Microsoft Copilot embedded in everything you touch now. Much of these tools has access to your data, your prompts, your uploads, your conversations. If you're a consultant like me, that's client work product, proprietary analyses, maybe strategic insights that come out of my brain. A compromised AI account isn't just email access. It's everything you've ever asked the AI, everything you've ever uploaded, potentially being exposed or used as training data for those systems. And the phishing attacks are perfect now. I can't tell the difference between a real epic login page and a fake one, and neither can you. AI generates pixel perfect copies with accurate context, sent at the right time of the day from what looks like a legitimate sender. Awareness training doesn't work anymore. That think before you click poster that's in the hospital break room, in my opinion, it's useless. The emails are perfect today. Now, password manager solved this by removing humans from the password creation process entirely. Instead of trying to remember 47 passwords, you remember only one, your master password. Everything else just gets stored in an encrypted vault. But here's the critical part the password manager generates truly random passwords, not patterns, not words you can remember, but random strings like KJA dollar sign nq, yada yada, yada. No human pattern means no AI pattern recognition. No dictionary words means no brute force attacks. And no reuse means one compromised system doesn't cascade to others on the system. If Change Healthcare had used unique passwords for every system, that attack would have stopped at the very first door. One account compromise, not network access. Now here's what you need to know before you go download a password manager. Check with your IT department first. Some health systems provide enterprise password managers, keeper, one password, teams, bitwarden. If they give you one, then use theirs. Don't use a personal password manager for work credentials if they provided an enterprise solution. Some organizations have policies prohibiting personal password managers for work logins. This is less common today, but it exists and you need to ask first. Many organizations have no policy yet because password managers are still relatively new in healthcare IT. If they say we don't have a policy or yeah, that's fine, you're probably good to proceed. The question to ask is: do we have a recommended password manager? And if not, can I use a personal one for my work logins? If they say yes or have no policy, here are your options. There are no endorsements here, no affiliate links. I'm just going to walk you through what I actually do. I use Dashlane, I've been using it for years. I chose it because the interface is clean, the mobile app works flawlessly, and it has emergency access features. If something happens to me, my girlfriend can get into critical counts after maybe a waiting period. Other solid choices are one password. That's what most tech companies use. It's great for teams. It's got a browser extension that works everywhere. It's $36 a year, I think, for individuals, and there may be some enterprise options available too. Proton Pass from the people that make Proton Mail. They're in Sweden. Very privacy focused. It's open source, end-to-end encryption. It's good if you're already in the Proton ecosystem. I really like it. It's a free tier available too there, but it's $24 a year for premium, and I would highly recommend upgrading. Bitwarden is open source, which means security researchers can audit the code. It's only $10 a year for premium. It's the most affordable option. And you can actually self-host it if you want to on your in your own organization if you want full control. Honestly, I don't recommend that. All four have the features you need: AES 256 encryption, zero knowledge architecture. They can't see your passwords even if they wanted to. Mobile apps and browser extensions, autofill for login forms, be careful with that. Secure password sharing for things like shared vendor accounts, audit logs if you need them for compliance. What matters most is that you use one. And any of these four is exponentially better than reusing your passwords. So here's the action plan. First, ask your IT department about password manager policy. Email them today. Do we have a recommended password manager? And if not, can I use a personal one for work logins? Second, if they approve or don't have a policy, choose one and set it up. This takes about 30 minutes to get it perfect. Third, migrate your 10 most critical logins. Start with your email. This is your password reset mechanism for everything else. Do your bank, your EMR, your EHR, your top three payer portals, any AI tools that you use for work. Fourth, generate new passwords for each of these, random, unique, 16 plus characters. The password manager will do this for you automatically. You'll know it's working when you try to remember your epic password in the future and you can't. That's the point. Random strings are unmemorable. That's what makes them secure. If you discover you've been reusing passwords, which is extremely likely, change them immediately. Start with email because that's how you'll reset everything else, like I mentioned. And if you think you clicked a suspicious link in the last 30 days, contact your IT team now, not tomorrow, but actually do that right now. That's it. That's the episode. Password managers check with IT, set one up, migrate your critical logins. You can implement this today. I'm Dan McCoy. This is Rocket Tools. Thanks for watching.