The Breach That Cost Change Healthcare Everything

In February 2024, a threat actor used stolen credentials to access Change Healthcare's systems — systems that lacked multi-factor authentication on a critical remote access portal. The result? A ransomware attack that disrupted pharmacy operations across the United States for weeks and exposed the protected health information of over 100 million individuals. UnitedHealth Group, Change Healthcare's parent company, estimated the total cost at over $2.4 billion.

That single incident illustrates why data breach prevention isn't a checkbox exercise. It's a layered discipline that demands specific, unglamorous work across your entire organization. And most of the failures I've seen over twenty years in this field aren't exotic zero-days. They're missed basics.

This post walks you through nine steps that actually reduce your breach risk — not theoretical advice, but the specific controls and habits that separate organizations that get breached from those that don't.

Why Data Breach Prevention Fails at Most Organizations

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, stolen credentials, or simple errors. That number has hovered in the same range for years. We know the problem. We just keep underinvesting in the solution.

Here's what I see repeatedly: organizations spend six figures on perimeter tools and almost nothing on the people who click the links. They buy endpoint detection but never test whether their incident response plan actually works. They mandate password changes every 90 days but don't enforce MFA on their VPN.

Data breach prevention fails because security teams optimize for compliance instead of resilience. Passing an audit and surviving a determined attacker are two very different things.

Step 1: Know Exactly What You're Protecting

You can't prevent a breach if you don't know where your sensitive data lives. I've worked with organizations that had customer PII sitting in forgotten SharePoint sites, unencrypted databases in development environments, and HR records on shared drives with no access controls.

Start with a data inventory. Classify everything by sensitivity. Map where it's stored, who accesses it, and how it moves between systems. This isn't glamorous work, but it's foundational.

Data Classification That Doesn't Collect Dust

Most classification policies get written, approved, and ignored. Make yours operational. Tag data at creation. Automate discovery scans for PII patterns like Social Security numbers and credit card formats. Assign data owners who are accountable — not just named on a spreadsheet.

Step 2: Deploy Multi-Factor Authentication Everywhere

The Change Healthcare breach happened because MFA wasn't enabled on a Citrix remote access portal. One set of stolen credentials was all the attacker needed.

MFA is the single highest-impact control you can deploy for credential theft prevention. According to CISA, MFA blocks 99% of automated credential attacks. Yet I still encounter organizations in 2026 that only require it for email and leave VPNs, admin consoles, and cloud platforms wide open.

Deploy phishing-resistant MFA — FIDO2 security keys or passkeys — wherever possible. SMS-based codes are better than nothing, but SIM-swapping attacks have made them unreliable for high-value targets.

Step 3: Train Your People Like Attackers Target Them

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report put the global average breach cost at $4.88 million. Phishing was the most common initial attack vector. Social engineering remains the preferred method because it works — humans are trusting by default, and threat actors exploit that.

Generic, once-a-year security awareness training doesn't change behavior. What does work: continuous reinforcement, role-specific scenarios, and realistic phishing simulations that teach people what modern attacks actually look like.

If your organization hasn't invested in structured cybersecurity awareness training, you're leaving your most exploited attack surface completely undefended. Pair that with dedicated phishing awareness training for your teams and you'll see measurable improvement in click rates within 90 days.

What Good Security Training Looks Like

  • Phishing simulations sent monthly, not quarterly, using current lure themes (package delivery, HR policy changes, MFA reset requests).
  • Immediate feedback when someone clicks — a teachable moment, not a punishment.
  • Role-specific modules: finance teams get BEC scenarios, IT admins get credential harvesting exercises, executives get whaling simulations.
  • Metrics tracked over time: click rate, report rate, time-to-report.

Step 4: Implement Zero Trust Architecture

Zero trust isn't a product you buy. It's an architecture principle: never trust, always verify. Every access request gets authenticated, authorized, and encrypted — regardless of whether it comes from inside or outside your network.

In practice, this means microsegmentation, least-privilege access, continuous session validation, and the assumption that your network is already compromised. NIST Special Publication 800-207 provides the zero trust architecture framework that most federal agencies and forward-thinking enterprises use as their blueprint.

Where to Start With Zero Trust

Don't try to boil the ocean. Start with identity. Enforce MFA. Implement conditional access policies based on device health, location, and risk score. Then extend to network segmentation — isolate your crown jewels so a compromised endpoint doesn't give an attacker lateral movement across your entire environment.

Step 5: Patch With Urgency, Not Just on Schedule

Vulnerability exploitation was the third most common initial access vector in the Verizon DBIR. When a critical CVE drops — especially one being actively exploited in the wild — you need a process to patch within hours, not weeks.

I've seen organizations with 90-day patching cycles get breached through vulnerabilities that had patches available for months. Your patching cadence should distinguish between routine updates and emergency patches. Automate where you can. Prioritize based on CISA's Known Exploited Vulnerabilities catalog, not just CVSS scores.

Step 6: Encrypt Data at Rest and in Transit

Encryption won't prevent every breach, but it limits the damage dramatically. If an attacker exfiltrates encrypted data and you hold the keys, that data is useless to them. Many breach notification laws also have safe harbor provisions for encrypted data — meaning you may not need to notify affected individuals if the stolen data was properly encrypted.

Use AES-256 for data at rest. Enforce TLS 1.3 for data in transit. Manage encryption keys through a dedicated key management system, not spreadsheets or shared drives.

Step 7: Build an Incident Response Plan You've Actually Tested

Every organization I've consulted with has an incident response plan. Maybe 20% have tested it in the last year. An untested plan is a document, not a capability.

Tabletop Exercises That Reveal Real Gaps

Run tabletop exercises quarterly. Use realistic scenarios: a ransomware attack on a Friday evening, a BEC wire transfer to an attacker-controlled account, a third-party vendor breach that exposes your customer data. Include legal, communications, and executive leadership — not just IT.

The gaps you find during a tabletop are the gaps an attacker will exploit during a real incident. Do you know who approves system shutdowns at 2 AM? Does your communications team have pre-drafted breach notification templates? Can your backup team restore critical systems within your target recovery time? These questions need answers before the crisis hits.

Step 8: Control Third-Party Risk Before It Controls You

The 2013 Target breach, the 2020 SolarWinds compromise, the 2023 MOVEit attacks — some of the most devastating breaches in history came through third-party vendors. Your data breach prevention strategy is only as strong as your weakest vendor.

Require security assessments for any vendor that touches your data or connects to your network. Include breach notification requirements in contracts. Monitor vendor security posture continuously, not just during annual reviews. Limit vendor access to the minimum necessary — and revoke it immediately when the engagement ends.

Step 9: Monitor, Detect, and Respond in Real Time

Prevention is the goal, but detection speed determines the damage. IBM's data shows that breaches identified in under 200 days cost significantly less than those that linger. The average time to identify a breach was still 194 days in their 2024 report — nearly seven months of an attacker operating inside your environment.

Deploy a SIEM or managed detection and response (MDR) service. Correlate logs across endpoints, network, identity, and cloud. Alert on anomalies: impossible travel, privilege escalation, mass file downloads, lateral movement patterns. And staff your SOC with people empowered to act — an alert that sits in a queue for 48 hours is worse than no alert at all.

What Is Data Breach Prevention?

Data breach prevention is the combination of technical controls, security policies, employee training, and incident response capabilities designed to stop unauthorized access to sensitive information. It includes measures like multi-factor authentication, encryption, zero trust architecture, phishing simulations, vulnerability management, and third-party risk controls. Effective breach prevention addresses both technical vulnerabilities and the human behaviors that attackers exploit through social engineering.

The Compounding Effect of Doing the Basics Well

None of these nine steps require bleeding-edge technology. MFA, patching, encryption, training, access controls — these are fundamentals. But I've seen them prevent breaches that sophisticated tools missed, because most attackers don't need sophistication when the basics are broken.

Data breach prevention compounds. Each layer you add forces attackers to work harder, spend more time, and make more noise — which gives your detection capabilities a chance to catch them. An attacker who steals credentials but hits MFA, then tries lateral movement but hits microsegmentation, then attempts exfiltration but hits DLP — that attacker gets caught or gives up.

Start where your risk is highest. For most organizations, that means credential theft and phishing. Lock down authentication with MFA. Invest in ongoing phishing awareness training and comprehensive cybersecurity awareness education for every employee. Then work outward from there.

The organizations that avoid headlines aren't the ones with the biggest budgets. They're the ones that execute the fundamentals relentlessly, test their assumptions regularly, and treat security as an operational discipline rather than an annual compliance exercise. That's what data breach prevention actually looks like in practice.