The recent ransomware onslaught targeting UnitedHealth Group and its subsidiary Change Healthcare highlights a severe breach of data privacy, affecting potentially a third of all Americans, a fact acknowledged by CEO Andrew Witty. This incident underscores the vulnerabilities faced by millions of U.S. patients.
This episode not only spells a significant threat but also acts as an urgent nudge for nations globally, including the U.K., especially since UnitedHealth has recently extended its operations there through the purchase of a company overseeing data for countless NHS (National Health Service) patients.
Recognized as one of the foremost healthcare entities in the U.S., UnitedHealth’s reputation precedes it, spanning the entire breadth of the healthcare spectrum, from insurance to physician and pharmacy networks. With a valuation of $500 billion, it stands as the globe’s 11th largest entity in terms of revenue according to this list. However, its presence in the U.K. has been relatively muted until half a year ago.
October marked the conclusion of a protracted 16-month review, resulting in Optum UK (a UnitedHealth subsidiary) through Bordeaux UK Holdings II Limited, acquiring EMIS Health for $1.5 billion. EMIS Health aids in streamlining appointments and prescription orders among other services, highlighted by its Patient Access platform, boasting 17 million users and facilitating over 1.4 million GP appointments and 19 million prescription renewals last year.
Yet, there’s no immediate threat to U.K. patient data post this breach, attributed to different operational sectors and legal frameworks of these entities. But, as CEO Witty admitted in his testimony, the cyberattack could be traced back to a neglected update after the acquisition of Change Healthcare, notably a server lacking multi-factor authentication (MFA).
Exploited “compromised credentials” allowed hackers to plunder health information via a Change Healthcare Citrix portal intended for remote employee access. Witty disclosed ongoing efforts to unravel the lapse in enabling MFA, raising genuine concerns among U.K. healthcare users and professionals related to EMIS Health’s capabilities under its new leadership.
This event isn’t singular in nature.
In a separate incident, 25-year-old Aleksanteri Kivimäki faced over six years of imprisonment for hacking the Finnish company Vastaamo in 2020, stealing and attempting to extort sensitive patient data.
Ransomware activities, lucrative in nature, saw perpetrators’ earnings surpass $1 billion in 2023 alone, with UnitedHealth conceding to a $22 million ransom payment to its attackers according to Witty’s testimony.
Why do ransomware criminals garner substantial profits?
The High Value of Health Information
The paramount insight from these incidents is the immense value global markets place on personal, especially health-related data, emphasizing the critical need for robust data protection measures. Unfortunately, lapses in cybersecurity measures are far too common, posing a threat to all.
As highlighted by TechCrunch, the necessity of surrendering personal data to access NHS-sponsored healthcare, whether to industry giants or emerging startups, is becoming alarmingly prevalent.
There are situations where collaboration with private entities is warranted for operational efficiency, yet such partnerships undeniably broaden the potential targets for cyberattacks. This is despite the implementation of various security protocols, policies, or assurances by these corporations.
Accessing NHS doctors now comes with a data provision clause.
For many UK family practices, third-party triaging software has become a prerequisite for booking appointments, often blurring the lines regarding the actual data custodian.
An investigation into Patchs Health’s privacy policy, serving over 10 million NHS patients, reveals it acts solely as a data sub-processor, whereas a private-equity backed entity manages the actual data processing, leading to implications similar to the UnitedHealth debacle upon a ransomware breach.
The situations in both the UK and Finland offer cautionary tales, underscoring the broader implications and potential vulnerabilities as the NHS increasingly integrates services with the private sector.
Adding to the controversy, the NHS’s deal with Palantir, a big data firm, over a new Federated Data Platform, further stirs the privacy debate, evoking widespread concern amongst healthcare and data privacy advocates nationwide.
Despite the outcry from privacy enthusiasts, the reality persists; large corporations continue to gain access to vast amounts of sensitive information, often without stringent enough safeguards, resulting in predictable and disastrous outcomes.
Rinse and repeat indeed.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
