The ransomware attack that has engulfed US health insurance giant UnitedHealth Group and its technology subsidiary Change Healthcare is a data privacy nightmare for millions of US patients, with CEO Andrew Witty confirming this week that it could affect up to one third of the country.
But it should also serve as a wake-up call to all countries, including the UK where UnitedHealth now operates through the recent acquisition of a company that manages data belonging to millions of NHS patients (National Health Service).
As one of the largest healthcare companies in the United States, UnitedHealth is well-known nationally, cutting across all facets of the healthcare industry, from insurance to billing to networks doctors and pharmacies. It is a $500 billion heavyweight, and the 11th largest company in the world in terms of revenue. But in the UK, UnitedHealth is virtually unknown, mainly because it hasn’t had much business across the Atlantic – until six months ago.
After a 16-month regulatory process that concluded in October, UnitedHealth subsidiary Optum UK, through a subsidiary called Bordeaux UK Holdings II Limited, finally took ownership of EMIS Health in a 1 .5 billion dollars. EMIS Health provides software that connects doctors to patients, allowing them to schedule appointments, order repeat prescriptions, and more. One of these services is patient access, which complaints some 17 million registered users who collectively made 1.4 million family doctor appointments through the app last year and ordered more than 19 million repeat prescriptions.
There is no indication that UK patient data is at risk here: these are different subsidiaries, with different configurations, under different jurisdictions. But according to his Senate testimony Wednesday, Witty blamed the hack on the fact that since UnitedHealth acquired Change Healthcare in 2022, it had not updated its systems — and inside those systems was a server that did not have multi-factor authentication (MFA) enabled.
We know hackers stole healthcare data by using “compromised credentials” to access a Citrix Change Healthcare portal intended to allow employees to remotely access internal networks. Surprisingly, Witty said the company was still working to understand why MFA wasn’t enabled, two months after the attack. This does not inspire much confidence in UK healthcare professionals and patients using EMIS Health under the auspices of its new owners.
This is not an isolated case.
Also this week, hacker Aleksanteri Kivimäki, 25, was jailed for more than six years for infiltrating a company called Vastaamo in 2020, stealing health data belonging to thousands of Finnish patients and attempting to extort and blackmailing both the company and the patients involved. .
Whether ransom attacks succeed or not, they ultimately prove lucrative: payments to perpetrators are estimated to have doubled to more than $1 billion in 2023, a record year by many accounts. During his testimony, Witty confirmed previous reports that UnitedHealth paid a $22 million ransom to its hackers.
Health data, a precious commodity
But the biggest takeaway from all of this is that personal data – particularly health data – is a huge global asset and must be protected accordingly. However, we are still seeing incredibly poor cybersecurity hygiene, which should concern everyone.
As TechCrunch wrote a few months ago, it is becoming increasingly difficult to access even the most basic healthcare on the publicly funded NHS without agreeing to give private companies access to your data – whether it’s a billion-dollar multinational or an enterprise. -sustained start.
There may be legitimate operational and practical reasons why working with the private sector makes sense, but the reality is that such partnerships increase the attack surface that bad actors can target, regardless of obligations, policies and the promises a company might have in place.
Many GP practices in the UK now require patients to use third-party sorting software to book an appointment, and unless you go through the fine print of privacy policies with a fine-tooth comb, it’s often difficult to tell. know who the patient is really doing business with.
Digging into the privacy policy of a triage service provider called Patchs Health, which claims to care for more than 10 million patients across the NHS, reveals it is simply the ‘processor’ responsible for the development and maintenance of the software. The main data processor contracted to provide the service is actually a private equity firm called Advanced, which was hit by a ransomware attack two years ago, forcing NHS services offline. Similar to the UnitedHealth attack, legitimate credentials were used to access a Citrix server.
You don’t have to squint to see the parallels between what happened with UnitedHealth and what could happen in the UK with the myriad of private companies entering into partnerships with the NHS.
Finland also serves as a prescient reminder as the NHS moves deeper into the private realm. Considered one of the most serious crimes ever committed in the country, the Vastaamo data breach occurred after a now-defunct private psychotherapy company was subcontracted by the health system Finnish public. Aleksanteri Kivimäki infiltrated an unsecured Vastaamo database, and after Vastaamo refused to pay a €450,000 Bitcoin ransom, Kivimäki attempted to blackmail thousands of patients, threatening to publish intimate therapy notes.
During the ensuing investigation, it was found that Vastaamo had completely inadequate security processes in place. Its patient database was exposed to the open Internet, including sensitive, unencrypted data such as contact details, social security numbers and therapist notes. The Finnish Data Protection Ombudsman noted that the most likely cause of the breach was an “unprotected MySQL port in the database”, where the root user account was not password protected. This account allowed unlimited access to the database from any IP address and the server had no firewall in place.
In the UK, there have been many concerns about how the NHS is opening up access to data. The most high-profile partnership took place last year, when Peter Thiel-backed big data analytics company Palantir won massive contracts with NHS England to help it move to a new platform Federated Data Platform (FDP) – much to the chagrin of doctors and data. Privacy advocates across the country.
This all seems somewhat inevitable, however. Privacy advocates scream and scream, but big companies with lots of money continue to obtain the keys to sensitive data belonging to millions of people. Promises are made, assurances are given, processes are implemented, then someone forgets to configure basic MFA or leaves an encryption key under the doormat, and everything blows up.
Rinse and repeat.
techcrunch
/cdn.vox-cdn.com/uploads/chorus_asset/file/23986616/acastro_STK097_02.jpg?w=390&resize=390,220&ssl=1)