Blog
← Back to Blog
December 15, 2024 cybersecurity

2024 Year in Review: Change Healthcare, CrowdStrike, and the Cost of Single Points of Failure

2024 year in review

2024 will be remembered as the year we learned, painfully, that single points of failure in critical infrastructure can paralyze entire industries. Change Healthcare disrupted healthcare nationwide. CrowdStrike crashed 8.5 million computers worldwide. AT&T's outage affected 70 million customers.

The common thread: centralized dependencies with catastrophic failure modes.

The Three Major Events

Change Healthcare (February)

Ransomware attack on the nation's largest healthcare clearinghouse affected nearly every provider in America. 100+ million patients' data compromised. $22 million ransom paid. Over $1 billion in total costs. Root cause: missing MFA on a Citrix portal.

CrowdStrike (July)

Faulty security software update crashed 8.5 million Windows computers. Airlines, hospitals, banks, and businesses worldwide offline for days. Manual remediation required for every affected system. Root cause: insufficient update testing and global simultaneous deployment.

AT&T Data Breach (April-July)

Call and text records for nearly all AT&T wireless customers stolen from a third-party cloud platform. Six months of metadata exposed. Root cause: cloud platform compromise affecting multiple telecom providers.

The Pattern

All three incidents share characteristics:

  • Critical infrastructure concentration
  • Lack of resilient alternatives
  • Supply chain dependencies
  • Cascading failures affecting unrelated organizations
  • Recovery measured in weeks, not hours

Industry Impacts

  • Healthcare: Change Healthcare proved that healthcare infrastructure is dangerously centralized. The industry is still recovering.
  • Legal: ABA issued updated guidance on AI use and cybersecurity obligations.
  • Financial: SEC cyber disclosure rules went into effect, raising compliance requirements.
  • Dental: OCR continued Right of Access enforcement, with penalties reaching six figures for violations.

Looking Ahead to 2025

Expect continued AI evolution in both attack and defense, increased regulatory scrutiny across all industries, supply chain security becoming board-level concern, and deepfake threats maturing into standard attack techniques.

Nine years of writing. The fundamentals haven't changed. MFA, backups, patching, training, incident response. They would have prevented or mitigated every major incident in 2024.