The ransomware attack which has engulfed the US health insurance giant UnitedHealth Group and its technology subsidiary Change of Health is a data privacy nightmare for millions of US patients, with CEO Andrew Witty confirming this week that it could affect up to a third of the country.
But it should also serve as a wake-up call to countries everywhere, including the UK where UnitedHealth is now trading through its recent acquisition of a company that manages data belonging to millions of NHS (National Health Service) patients.
As one of the largest healthcare companies in the USUnitedHealth is well-known domestically, intersecting with every aspect of the health care industry, from insurance and billing and winding up to physician and pharmacy networks — it’s a $500 billion juggernaut and the world’s 11th largest company by revenue. But in the UK, UnitedHealth is practically unknown, largely because it didn’t have much business across the pond — until six months ago.
After a 16-month regulatory process expires in October, UnitedHealth subsidiary Optum UK, through a subsidiary called Bordeaux UK Holdings II Limited, finally took ownership of EMIS Health in a $1.5 billion deal. EMIS Health provides software that connects doctors with patients, allowing them to book appointments, order repeat prescriptions and more. One of these services is Patient accesswhich claims about 17 million registered users who collectively made 1.4 million family doctor appointments through the app last year and ordered north of 19 million repeat prescriptions.
There is nothing to suggest that UK patient data is at risk here — these are different subsidiaries, with different arrangements, under different jurisdictions. But in his Senate testimony Wednesday, Witty blamed the hack on the fact that UnitedHealth acquired Change Healthcare in 2022it hadn’t updated its systems — and within those systems was a server that didn’t have multi-factor authentication (MFA) enabled.
We know that hackers stole health data using “compromised credentials” to gain access to a Change Healthcare Citrix portal that was intended for employees to access internal networks remotely. Incredibly, Witty said the company was still working to figure out why MFA wasn’t enabled two months after the attack. This does not inspire much confidence in UK healthcare professionals and patients using EMIS Health under its new owners.
This is not an isolated case.
Separately this week, 25-year-old hacker Aleksanteri Kivimäki he was imprisoned for more than six years for infiltrating a company called Vastaamo in 2020, stealing healthcare data belonging to thousands of Finnish patients and attempting to extort and blackmail both the company and the affected patients.
Whether or not ransomware attacks prove successful, they are ultimately lucrative – payouts to perpetrators reportedly doubled to more than $1 billion in 2023, a record year by many accounts. During his testimony, Witty confirmed Earlier reports that UnitedHealth paid a $22 million ransom to its hackers.
Health data as a valuable commodity
However, the biggest takeaway from all of this is that personal data – particularly health data – is a huge global commodity and should be protected accordingly. However, we continue to see incredibly poor cyber hygiene, which should concern everyone.
As TechCrunch wrote a few months ago, it’s becoming increasingly difficult to access even the most basic form of healthcare in the government-funded NHS without agreeing to give private companies access to your data — whether it’s a multinational or a multibillion-dollar business dollars -under startup support.
There may be legitimate business and practical reasons why partnering with the private sector makes sense, but the reality is that such partnerships increase the attack surface that bad actors can target—regardless of the obligations, policies, and promises they make. may have a company.
Many UK GP surgeries now require patients to use third-party friction software to book appointments, and unless you go through the fine print of privacy policies with a fine-toothed comb, it’s often unclear who the patient is really dealing with.
Digging into Privacy Policy a triaging service provider is called Health Pads, which says it supports over 10 million patients across the NHS, reveals it is merely the data “sub-processor” responsible for developing and maintaining the software. The primary data processor contracted to provide the service is in fact compete with the support of stocks the company called Advancedwho was hit by a ransomware attack two years ago, forcing NHS services offline. Similar to the UnitedHealth attack, legitimate credentials were used to access a Citrix server.
You don’t have to squint to see the parallels between what happened with UnitedHealth and what could happen in the UK with the myriad private companies entering into partnerships with the NHS.
Finland also serves as a cautionary reminder as the NHS creeps deeper into the private sphere. Compiled one from the biggest crimes ever committed in the country, the Vastaamo data breach arose after Finland’s public healthcare system subcontracted a now-defunct private psychotherapy company. Aleksanteri Kivimäki infiltrated an insecure database of Vastaamo, and after Vastaamo refused to pay a €450,000 Bitcoin ransom, Kivimäki attempted to extort thousands of patients by threatening to issue personal treatment notes.
In the ensuing investigation, it was found that Vastaamo had completely inadequate security procedures in place. His patient database was exposed on the open internet, including unencrypted sensitive data such as contact information, social security numbers and therapists’ notes. The Finnish data protection ombudsman taking into consideration The most likely cause of the breach was an “unsecured MySQL port to the database”, where the root user account was not password protected. This account allowed unbridled access to the database from any IP address and the server had no firewall.
In the UK, there have been strong concerns about how the NHS opens up access to data. The most high-profile partnership came just last year, when Peter Thiel-backed big data analytics firm Palantir was awarding huge contracts by NHS England to help it move to a new Federal Data Platform (FDP) — far towards chagrin of doctors and data privacy advocates across the country.
But everything seems somewhat inevitable. Privacy advocates scream and shout, but big, cash-strapped companies continue to get the keys to sensitive data belonging to millions of people. Promises are made, assurances are given, processes are in place — then someone forgets to set up basic MFA or leaves an encryption key under the doormat and it all blows up.
Rinse and repeat.
