The ransomware assault that has engulfed U.S. medical insurance large UnitedHealth Group and its tech subsidiary Change Healthcare is an information privateness nightmare for thousands and thousands of U.S. sufferers, with CEO Andrew Witty confirming this week that it might influence as a lot as one-third of the nation.
Nevertheless it must also function a wakeup name for nations in every single place, together with the U.Ok. the place UnitedHealth now plies its commerce through the latest acquisition of an organization that manages information belonging to thousands and thousands of NHS (Nationwide Well being Service) sufferers.
As one of many largest well being care corporations within the U.S., UnitedHealth is well-known domestically, intersecting with each aspect of the healthcare business from insurance coverage and billing and winding throughout the doctor and pharmacy networks — it’s a $500 billion juggernaut, and the eleventh largest firm globally by income. However within the U.Ok., UnitedHealth is virtually unknown, largely as a result of it’s not had a lot enterprise throughout the pond — till six months in the past.
After a 16-month regulatory course of ending in October, UnitedHealth subsidiary Optum UK, through an affiliate known as Bordeaux UK Holdings II Restricted, lastly took possession of EMIS Well being in a $1.5 billion deal. EMIS Well being offers software program that connects docs with sufferers, permitting them to e-book appointments, order repeat prescriptions, and extra. One in all these providers is Affected person Entry, which claims some 17 million registered customers who collectively made 1.4 million household physician appointments by means of the app final 12 months and ordered north of 19 million repeat prescriptions.
There’s nothing to recommend that U.Ok. affected person information is in danger right here — these are totally different subsidiaries, with totally different setups, below totally different jurisdictions. However based on his senate testimony on Wednesday, Witty blamed the hack on the truth that since UnitedHealth acquired Change Healthcare in 2022, it hadn’t up to date its methods — and inside these methods was a server that didn’t have multi-factor authentication (MFA) enabled.
We all know that hackers stole well being information utilizing “compromised credentials” to entry a Change Healthcare Citrix portal which had been supposed for workers to entry inner networks remotely. Extremely, Witty stated that the corporate was nonetheless working to grasp why MFA wasn’t enabled, two months after the assault. This doesn’t encourage a substantial amount of confidence for U.Ok. well being care professionals and sufferers utilizing EMIS Well being below the auspices of its new house owners.
This isn’t an remoted case.
Individually this week, 25-year-old hacker Aleksanteri Kivimäki was jailed for greater than six years for infiltrating an organization known as Vastaamo in 2020, stealing well being care information belonging to hundreds of Finnish sufferers and making an attempt to extort and blackmail each the corporate and affected sufferers.
Whether or not ransom assaults show profitable or not, they’re in the end profitable — funds to perpetrators reportedly doubled to greater than $1 billion in 2023, a record-breaking 12 months by many accounts. Throughout his testimony, Witty confirmed earlier stories that UnitedHealth made a $22 million ransom fee to its hackers.
Well being information as priceless commodity
As information.killnetswitch wrote a few months again, it’s getting more and more tough to entry even essentially the most fundamental type of healthcare on the state-funded NHS with out agreeing to provide non-public corporations entry to your information — whether or not that’s a billion-dollar multinational, or a venture-backed startup.
There could be professional operational and sensible explanation why working with the non-public sector is sensible, however the actuality is such partnerships improve the assault floor that unhealthy actors can goal — no matter no matter obligations, insurance policies and guarantees an organization may need in place.
Many U.Ok. household physician surgical procedures now require sufferers to make use of third-party triaging software program to make appointments, and until you peruse the nice print of the privateness insurance policies with a fine-toothed comb, it’s typically not clear who the affected person is definitely doing enterprise with.
Digging into the privateness coverage of 1 triaging service supplier known as Patchs Well being, which says it helps over 10 million sufferers throughout the NHS, reveals that it’s merely the info “sub-processor” liable for creating and sustaining the software program. The primary information processor contracted to ship the service is definitely non-public equity-backed firm known as Superior, which was hit by a ransomware assault two years in the past, forcing NHS providers offline. Much like the UnitedHealth assault, professional credentials had been used to entry a Citrix server.
You don’t must squint to see the parallels between what has occurred with UnitedHealth, and what might occur within the U.Ok. with the myriad non-public corporations placing partnerships with the NHS.
Finland additionally serves as a prescient reminder because the NHS creeps deeper into the non-public realm. Dubbed one of many nation’s greatest ever crimes, the Vastaamo data breach happened after a now-defunct non-public psychotherapy firm was sub-contracted by Finland’s public well being care system. Aleksanteri Kivimäki infiltrated an insecure Vastaamo database, and after Vastaamo refused to pay a reported €450,000 Bitcoin ransom, Kivimäki tried to blackmail hundreds of sufferers, threatening to launch intimate remedy notes.
Within the investigation that adopted, Vastaamo was discovered to have wholly insufficient security processes in place. Its affected person database was uncovered to the open web, together with unencrypted delicate information reminiscent of contact data, social security numbers, and therapist notes. The Finnish information safety ombudsman famous that the most probably trigger for the breach was an “unprotected MySQL port within the database,” the place the basis consumer account wasn’t password protected. This account enabled unbridled database entry from any IP deal with, and the server had no firewall in place.
Within the U.Ok., there have been well-vocalized issues round how the NHS is opening entry to information. Probably the most high-profile partnership got here simply final 12 months, when Peter Thiel-backed massive information analytics firm Palantir was awarded huge contracts by NHS England to assist it transition to a brand new Federated Data Platform (FDP) — a lot to the chagrin of docs and information privateness advocates throughout the nation.
All of it appears considerably inevitable although. Privateness advocates shout and scream, however massive corporations with lots of money hold getting the keys to delicate information belonging to thousands and thousands of individuals. Guarantees are made, assurances given, processes carried out — then somebody forgets to arrange fundamental MFA, or they depart an encryption key below the doormat, and every little thing blows up.
Rinse and repeat.
