On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application that enables remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within systems and exfiltrated data in more sophisticated ways. Nine days later, ransomware was deployed.