The ransomware assault that has engulfed U.S. medical insurance big UnitedHealth Group and its tech subsidiary Change Healthcare is an information privateness nightmare for thousands and thousands of U.S. sufferers, with CEO Andrew Witty confirming this week that it could influence as a lot as one-third of the nation.
But it surely also needs to function a wakeup name for nations in every single place, together with the U.Ok. the place UnitedHealth now plies its commerce through the current acquisition of an organization that manages knowledge belonging to thousands and thousands of NHS (Nationwide Well being Service) sufferers.
As one of many largest well being care corporations within the U.S., UnitedHealth is well-known domestically, intersecting with each side of the healthcare trade from insurance coverage and billing and winding during the doctor and pharmacy networks — it’s a $500 billion juggernaut, and the eleventh largest firm globally by income. However within the U.Ok., UnitedHealth is virtually unknown, principally as a result of it’s not had a lot enterprise throughout the pond — till six months in the past.
After a 16-month regulatory course of ending in October, UnitedHealth subsidiary Optum UK, through an affiliate referred to as Bordeaux UK Holdings II Restricted, lastly took possession of EMIS Well being in a $1.5 billion deal. EMIS Well being supplies software program that connects medical doctors with sufferers, permitting them to e-book appointments, order repeat prescriptions, and extra. One among these companies is Affected person Entry, which claims some 17 million registered customers who collectively made 1.4 million household physician appointments by way of the app final 12 months and ordered north of 19 million repeat prescriptions.
There’s nothing to counsel that U.Ok. affected person knowledge is in danger right here — these are totally different subsidiaries, with totally different setups, underneath totally different jurisdictions. However in keeping with his senate testimony on Wednesday, Witty blamed the hack on the truth that since UnitedHealth acquired Change Healthcare in 2022, it hadn’t up to date its methods — and inside these methods was a server that didn’t have multi-factor authentication (MFA) enabled.
We all know that hackers stole well being knowledge utilizing “compromised credentials” to entry a Change Healthcare Citrix portal which had been supposed for workers to entry inner networks remotely. Extremely, Witty mentioned that the corporate was nonetheless working to grasp why MFA wasn’t enabled, two months after the assault. This doesn’t encourage quite a lot of confidence for U.Ok. well being care professionals and sufferers utilizing EMIS Well being underneath the auspices of its new house owners.
This isn’t an remoted case.
Individually this week, 25-year-old hacker Aleksanteri Kivimäki was jailed for greater than six years for infiltrating an organization referred to as Vastaamo in 2020, stealing well being care knowledge belonging to 1000’s of Finnish sufferers and making an attempt to extort and blackmail each the corporate and affected sufferers.
Whether or not ransom assaults show profitable or not, they’re finally profitable — funds to perpetrators reportedly doubled to greater than $1 billion in 2023, a record-breaking 12 months by many accounts. Throughout his testimony, Witty confirmed earlier experiences that UnitedHealth made a $22 million ransom cost to its hackers.
Well being knowledge as worthwhile commodity
However the largest takeaway from all that is that non-public knowledge — significantly well being knowledge — is a big world commodity, and it must be protected accordingly. Nonetheless, we maintain seeing extremely poor cybersecurity hygiene, which must be a priority for everybody.
As TechCrunch wrote a few months again, it’s getting more and more troublesome to entry even essentially the most primary type of healthcare on the state-funded NHS with out agreeing to provide non-public corporations entry to your knowledge — whether or not that’s a billion-dollar multinational, or a venture-backed startup.
There may be professional operational and sensible explanation why working with the non-public sector is sensible, however the actuality is such partnerships improve the assault floor that dangerous actors can goal — no matter no matter obligations, insurance policies and guarantees an organization may need in place.
Many U.Ok. household physician surgical procedures now require sufferers to make use of third-party triaging software program to make appointments, and except you peruse the tremendous print of the privateness insurance policies with a fine-toothed comb, it’s usually not clear who the affected person is definitely doing enterprise with.
Digging into the privateness coverage of 1 triaging service supplier referred to as Patchs Well being, which says it helps over 10 million sufferers throughout the NHS, reveals that it’s merely the info “sub-processor” chargeable for growing and sustaining the software program. The primary knowledge processor contracted to ship the service is definitely non-public equity-backed firm referred to as Superior, which was hit by a ransomware assault two years in the past, forcing NHS companies offline. Just like the UnitedHealth assault, professional credentials had been used to entry a Citrix server.
You don’t should squint to see the parallels between what has occurred with UnitedHealth, and what may occur within the U.Ok. with the myriad non-public corporations hanging partnerships with the NHS.
Finland additionally serves as a prescient reminder because the NHS creeps deeper into the non-public realm. Dubbed one among the nation’s largest ever crimes, the Vastaamo knowledge breach happened after a now-defunct non-public psychotherapy firm was sub-contracted by Finland’s public well being care system. Aleksanteri Kivimäki infiltrated an insecure Vastaamo database, and after Vastaamo refused to pay a reported €450,000 Bitcoin ransom, Kivimäki tried to blackmail 1000’s of sufferers, threatening to launch intimate remedy notes.
Within the investigation that adopted, Vastaamo was discovered to have wholly insufficient safety processes in place. Its affected person database was uncovered to the open web, together with unencrypted delicate knowledge equivalent to contact data, social safety numbers, and therapist notes. The Finnish knowledge safety ombudsman famous that the most certainly trigger for the breach was an “unprotected MySQL port within the database,” the place the basis consumer account wasn’t password protected. This account enabled unbridled database entry from any IP deal with, and the server had no firewall in place.
Within the U.Ok., there have been well-vocalized issues round how the NHS is opening entry to knowledge. Probably the most high-profile partnership got here simply final 12 months, when Peter Thiel-backed massive knowledge analytics firm Palantir was awarded large contracts by NHS England to assist it transition to a brand new Federated Information Platform (FDP) — a lot to the chagrin of medical doctors and knowledge privateness advocates throughout the nation.
All of it appears considerably inevitable although. Privateness advocates shout and scream, however massive corporations with lots of money maintain getting the keys to delicate knowledge belonging to thousands and thousands of individuals. Guarantees are made, assurances given, processes applied — then somebody forgets to arrange primary MFA, or they depart an encryption key underneath the doormat, and every little thing blows up.
Rinse and repeat.
