When UnitedHealth Group acquired Change Healthcare, they didn’t just acquire systems and revenue—they acquired underlying technical risk.
The breach that followed wasn’t driven by a sophisticated exploit. It began with something far more common: compromised credentials and weak identity controls. Yet the impact was massive, disrupting healthcare payments across the U.S. and exposing how fragile interconnected systems can be.
What Actually Happened
The attack chain was straightforward:
- Attackers gained access using valid credentials to a remote system without MFA
- Activity appeared legitimate—no malware, no obvious alerts
- They moved laterally, escalated privileges, and mapped the environment
- Sensitive data was exfiltrated and ransomware deployed
- Core systems went down, halting claims processing at scale
There was nothing particularly novel about the technique. The failure was structural.
Where Controls Failed
This wasn’t one gap—it was several working together:
- Missing MFA on critical access points
- Weak segmentation, allowing lateral movement
- Over-permissioned accounts and unclear privilege boundaries
- Limited ability to detect credential misuse
- Poor visibility into system dependencies and blast radius
Individually common. Collectively exploitable.

What Due Diligence Would Have Found
A typical tech DD process wouldn’t catch this. A real one would.
Specifically, it would have surfaced:
- Where MFA actually wasn’t enforced
- Which systems were externally exposed
- How easily access could escalate once inside
- Whether internal boundaries actually held
- What breaks if a single credential is compromised
This is the difference between reviewing documentation and understanding reality.
Why This Matters in M&A
The critical insight from the Change Healthcare breach is not just how the attack occurred, but when the underlying risk was introduced.
The conditions that enabled the breach did not emerge after acquisition. They existed beforehand.
This is what makes identity and access risk particularly challenging in M&A contexts. Unlike financial liabilities, which are typically disclosed and quantified, technical risks are often implicit. They do not appear on balance sheets, and they are rarely fully captured in standard diligence processes.
Yet they transfer immediately at close.
In highly interconnected industries like healthcare, the impact of these risks is amplified. Systems are not isolated; they are part of a broader operational fabric. A failure in one organization can propagate across partners, customers, and critical infrastructure.
Bridging the Gap with ACQUA
Addressing this gap requires a shift in how technical diligence is conducted. Rather than relying solely on static artifacts, organizations need visibility into how systems behave under real conditions.
ACQUA is designed to provide that visibility.
By connecting directly into a target environment, ACQUA maps identity pathways across systems, validates how access controls function in practice, and identifies points where risk can propagate. It allows deal teams to understand not just what systems exist, but how they interact—and where they are vulnerable.
This approach transforms abstract concerns into concrete insights. Instead of asking whether MFA is implemented, it shows where it is not. Instead of assuming segmentation, it demonstrates whether boundaries hold under real-world conditions.
Most importantly, it enables these questions to be answered before acquisition, when there is still an opportunity to price, negotiate, or remediate risk.


%201.webp)


.webp)