Like nearly all sensational data breaches, the public will probably never know the root cause of the Great United Health Group data breach of 2024 that exposed medical information for millions and millions of Americans. But after following data breaches for a long time, I’ll offer an educated guess.
First, some background.
Every insurance company wants data its own way to pay claims. But tracking changing rules and idiosyncrasies for every insurance company is overwhelming for medical providers. To solve this problem, clearinghouse companies formed between medical providers and insurance companies. The clearinghouses offer standard interfaces for providers to enter claims, and they deal with insurance company idiosyncrasies. By 2022, after 15 years of mergers and acquisitions, Change Healthcare processed around 40 percent of all medical claims in the United States–about 15 billion transactions annually. United Health Group bought it in 2022.
And then, in February, 2024, an attacker stole a password for a system without multifactor authentication, invaded the Change Healthcare network, and launched a ransomware attack against around 3 TB of patient data. The US House of Representatives Energy and Commerce Committee report estimates the attack affected about 1/3 of all Americans. But nobody knows for sure.
I already have questions.
- Why didn’t anyone set up multifactor authentication (MFA) on this system?
- Why did this system offer remote access to a user account with this much power?
The best answer United Health Group CEO, Sir Andrew Witty, could offer on the MFA question is, they’re investigating. None of our Congressional representatives asked the remote access question. I’ll offer a hunch for both questions. Change Healthcare evolved from a bazillion mergers, and nobody with any authority paid attention to accountability. Nobody owned it, so nobody looked into it.
Until too late.
United Health Group learned about the Change Healthcare breach on February 21, shut the system down, and called in the cavalry. Here is a PDF with the United Health Group statement in case the link to the data breach page goes bad. By Friday, March 22, it reported a $14 billion processing backlog. Which meant Medical providers had sent $14 billion in insurance claims, but Change Healthcare had not yet submitted those claims to insurance companies. Which put many medical providers on the brink of bankruptcy.
United Health Group offered $3.3 billion in interest free loans, payable in 45 days. But that still left a staggering revenue shortfall for medical providers, and so the US Federal Government got involved to help bridge the revenue gap.
United Health Group ultimately paid a $22 million ransom in return for a promise that the thieves would destroy the data they stole. Too bad honor among thieves is a myth. It seems the BlackCat ransomware group, who developed the ransomware code, partnered with freelancers who orchestrated the attack. United Health Group paid BlackCat, but BlackCat never paid its partners. That stolen patient data is still out there for somebody to exploit.
This incident unfolded pretty much the way I predicted way back in 2015 after another sensational data breach with a household name.
- Lax or dysfunctional management ignores all the warnings about potential IT security problems. I’ll bet somebody at the grass roots tried to warn managers about this mess, but nobody listened. We’ll probably never know.
- A sensational news story hits the news wires. This one was more subdued than usual. Probably because we’ve seen so many of these.
- The CEO or other leader of the breached organization puts out a press release. “We take our customers’ privacy seriously.” The press release includes a generous offer of worthless free credit monitoring for potential victims for a year. See the data breach website or its PDF, and United Health Group CEO, Andrew Witty’s, testimony in front of Congress.
- PR teams gear up as leaders in the breached organization fill the airwaves with excuses and all the important steps they’re taking to mitigate this breach. They use words like “sophisticated” and “criminal syndicate” or “nation state” to describe the attackers. Yep, that’s pretty much what Andrew Witty told Congress.
- Columnists and bloggers express outrage. That’s what I’m doing right now. But I’m a couple months late.
- Lots of people share commentary about how awful this all is and the poor state of our security. But nobody shares any specifics about conditions leading up to the breach, how the bad guys penetrated the victim organization, or the get-well steps. All we know about this one is, somebody stole a password.
- Embarrassed Boards of Directors and other VIPs outdo themselves with knee-jerk reactions as they pour a fortune into closing the barn door after the horses have already escaped. United Health Group estimates this incident will cost around $1.6 billion this year.
- Sometimes, a major news magazine does an in-depth story about the personalities involved at the victim company a few months later. TBD.
- The story eventually fades away and the public is left to believe that breached companies are helpless victims of sophisticated criminal syndicates or nation-state sponsored terrorists. There’s nothing anyone could have done about it. Maybe we’re finally starting to learn. This paragraph made me laugh.
Sen. Thom Tillis of North Carolina held up the book “Hacking for Dummies,” which he said he’s used as a resource on various Senate committees, and told Witty “this is basic stuff.”
https://missouriindependent.com/2024/05/02/unitedhealth-ceo-savaged-for-failings-in-massive-cyberattack-thats-crippled-health-care
If you are a breach victim, don’t worry. United Health Group will offer you one year of free credit monitoring. Does that make you feel all warm and fuzzy? That and a nickle are worth about five cents.
A long time ago, I proposed a solution to this problem that would make stolen Social Security numbers less important. One of these days, we’ll wake up. But apparently not today.
Good article. Unfortunately, United is my ins co.