The ransomware attack that hit US health insurance giant UnitedHealth Group and its tech subsidiary Change Healthcare is a data privacy nightmare for millions of US patients and CEO Andrew Mr Whitty admitted this week that up to a third of the country could be affected.
But it also comes as a wake-up call to countries around the world, including the UK, where UnitedHealth is doing business with its recent acquisition of a company that manages data belonging to millions of NHS patients. should also work.
UnitedHealth is nationally known as one of the largest health care companies in the United States, a $500 billion company that touches every aspect of the health care industry, from insurance and billing to physician and pharmacy networks. is. 11th largest company in the world by sales. But in the UK, UnitedHealth is little known. The main reason for this is that there were not many transactions until six months ago.
After a 16-month regulatory process that ended in October, UnitedHealth subsidiary Optum UK, through an affiliate called Bordeaux UK Holdings II Limited, ultimately acquired ownership of EMIS Health in a $1.5 billion deal. . EMIS Health provides software that connects doctors and patients to schedule appointments, order repeat prescriptions, and more. One of these services is Patient Access. Claim There are approximately 17 million registered users who made a total of 1.4 million GP appointments and ordered more than 19 million repeat prescriptions through the app last year.
There is nothing to suggest that UK patient data is at risk here. These are different subsidiaries, with different settings and under different jurisdictions. But according to Senate testimony Wednesday, Whitty said UnitedHealth hasn't updated its systems since acquiring Change Healthcare in 2022, and the servers within those systems don't have multi-factor authentication. They claimed that the hack was caused by the fact that MFA was enabled.
It is understood that hackers used “compromised credentials” to steal health data and access the Change Healthcare Citrix portal intended for employees to access internal networks remotely. Incredibly, two months after the attack, Witty said the company is still working to understand why his MFA is not enabled. This does not inspire much confidence for UK healthcare professionals and patients who rely on EMIS Health under the auspices of its new owners.
This is not a special case.
Separately this week, 25-year-old hacker Aleksanteri Kivimäki broke into a company called Vastaamo in 2020, stole the medical data of thousands of Finnish patients, and compromised both the company and the affected patients. He was sentenced to more than six years in prison for attempting to extort. .
Regardless of whether a ransom attack is successful or not, it is ultimately profitable. In 2023, payments to perpetrators reportedly doubled to more than his $1 billion, making it a record year for many accounts. In his testimony, Whitty confirmed earlier reports that UnitedHealth paid a $22 million ransom to the hackers.
Health data as a valuable commodity
But the biggest lesson from all this is that personal data, especially health data, is a huge global commodity and needs to be protected accordingly. However, cybersecurity hygiene continues to be incredibly poor, and this should be a concern to everyone.
As TechCrunch wrote a few months ago, unless you agree to give private companies access to your data, accessing even the most basic healthcare services in the state-funded NHS will not be possible if it Whether you're a billion-dollar multinational corporation or a start-up, it's becoming increasingly difficult. -backed startup.
While there may be legitimate operational and practical reasons why it makes sense to collaborate with the private sector, the reality is that such partnerships are dependent on what obligations, policies, and commitments companies have in place. increases the attack surface that malicious attackers can target, regardless of the
Currently, many GP surgeries in the UK require patients to use third-party triage software to book an appointment, and unless you read the fine print of their privacy policy with a fine-tooth comb, you can't see who the patient actually is. It is often not clear who you are dealing with.
A closer look at the privacy policy of one triage service provider called Patchs Health, which supports over 10 million patients across the NHS, reveals that the company is responsible for developing and maintaining its software. It turns out that it is nothing more than a sub-processor. The main data processor contracted to provide this service is actually a private equity-backed company called Advanced, which suffered a ransomware attack two years ago that forced NHS services offline. I had no choice but to do it. Similar to the UnitedHealth attack, legitimate credentials were used to access Citrix servers.
You don't have to squint to see the similarities between what happened with UnitedHealth and what could happen in the UK with the myriad private companies that work with the NHS.
Finland also serves as a forward-thinking reminder as the NHS moves deeper into the civilian sphere. The Vastaamo data breach, described as one of the biggest crimes in the country's history, occurred after a now-defunct private psychotherapy company was subcontracted by Finland's public healthcare system. Aleksanteri Kivimaki hacked into Vastaamo's insecure database, and after Vastaamo refused to pay a reported €450,000 Bitcoin ransom, Kivimaki threatened to release intimate medical records to thousands of people. attempted to intimidate patients.
A subsequent investigation found that Vastaamo had completely inadequate security processes in place. Its patient database contained sensitive unencrypted data, including contact information, social security numbers, and therapist notes, and was exposed to the open internet. Finland's Data Protection Ombudsman pointed out that the most likely cause of the breach was the root user's “unprotected MySQL port in the database,” where his account was not password protected. This account allowed unrestricted database access from any of her IP addresses, and the server had no firewall in place.
In the UK, there has been a lot of concern about how the NHS is opening up access to data. The most high-profile partnership occurred just last year, when Peter Thiel-backed big data analytics firm Palantir secured a major contract to help transition to the new Federated Data Platform (FDP). It was acquired from NHS England, which was very disappointing for doctors and data. National privacy advocacy group.
However, it all seems inevitable to some degree. Despite the cries of privacy advocates, large corporations with deep pockets continue to obtain the keys to sensitive data belonging to millions of people. Promises are made, guarantees are given, and processes are implemented, but when someone forgets to set up basic MFA or leaves an encryption key under the doormat, everything goes awry.
Rinse and repeat.