Even assuming that were true, I would disagree with attributing most of a successful breach to a wider attack at large. A successful breach on Change Healthcare occurred because their software development practice is garbage.
They have difficulty hiring talent because their talent acquisition process is broken and directed from guys in Nashville who have no clue how to handle developers on the West Coast. Big dependence on manual QA from teams in overseas contractors with no automation, and for developers on that side, there's no transfer of information when the code turns into spaghetti. Code review is weak and mostly for show. Single-account passwords for use in SFTP and outdated protocols. All logic goes into SQL stored procedures when it's completely unnecessary and none of the database developers know how to wrangle it anymore because someone decided all business logic should be in stored procedures (job security?). All software planning and business meetings happen as Waterfall with elaborate Unified Modeling Language but pretends to be Agile so obviously there is ritualistic Scrum, even though it doesn't fit the process that actually happens on a day-to-day basis.
When it comes to software, Change Healthcare cares about optics and most processes are for show, not actual effect, and especially when it comes to security.
They have difficulty hiring talent because their talent acquisition process is broken and directed from guys in Nashville who have no clue how to handle developers on the West Coast. Big dependence on manual QA from teams in overseas contractors with no automation, and for developers on that side, there's no transfer of information when the code turns into spaghetti. Code review is weak and mostly for show. Single-account passwords for use in SFTP and outdated protocols. All logic goes into SQL stored procedures when it's completely unnecessary and none of the database developers know how to wrangle it anymore because someone decided all business logic should be in stored procedures (job security?). All software planning and business meetings happen as Waterfall with elaborate Unified Modeling Language but pretends to be Agile so obviously there is ritualistic Scrum, even though it doesn't fit the process that actually happens on a day-to-day basis.
When it comes to software, Change Healthcare cares about optics and most processes are for show, not actual effect, and especially when it comes to security.
https://news.ycombinator.com/item?id=40132012