The ransomware attack targeting U.S. health insurance giant UnitedHealth Group and its subsidiary, Change Healthcare, has raised significant data privacy concerns for millions of American patients. CEO Andrew Witty recently confirmed that the breach could potentially affect up to one-third of the U.S. population.
However, beyond the immediate impact on American patients, this incident should also serve as a stark warning for countries worldwide, including the United Kingdom. With UnitedHealth’s recent acquisition of a company managing data for millions of NHS (National Health Service) patients, the implications of such attacks extend internationally.
While UnitedHealth is a prominent healthcare entity in the United States, boasting a massive $500 billion presence and ranking as the 11th largest company globally by revenue, its footprint in the U.K. has been relatively minimal until recently. The acquisition of EMIS Health, facilitated through UnitedHealth’s subsidiary Optum UK, marks a significant expansion into the U.K. market.
EMIS Health specializes in software solutions connecting doctors with patients, offering services like appointment booking and prescription ordering. Notably, Patient Access, one of EMIS Health’s offerings, boasts a user base of 17 million registered users who collectively booked 1.4 million family doctor appointments and ordered over 19 million repeat prescriptions last year.
While there’s currently no evidence to suggest that U.K. patient data is directly compromised in the recent ransomware attack on UnitedHealth Group and its subsidiary Change Healthcare, the incident underscores broader cybersecurity concerns. During his testimony before the senate, CEO Andrew Witty attributed the breach to the lack of system updates following UnitedHealth’s acquisition of Change Healthcare in 2022. Specifically, the absence of multi-factor authentication (MFA) on a server within the system provided an entry point for hackers, highlighting critical vulnerabilities that remained unaddressed even after the attack.
This revelation raises concerns for U.K. healthcare professionals and patients utilizing EMIS Health under the management of UnitedHealth’s subsidiaries.
This incident is not an isolated case, as illustrated by the recent sentencing of hacker Aleksanteri Kivimäki, who infiltrated Finnish company Vastaamo in 2020, compromising healthcare data of thousands of patients. Such attacks, whether successful in extorting payment or not, are financially lucrative for perpetrators, with ransom payments reportedly exceeding $1 billion in 2023, a record-breaking figure.
Confirming earlier reports, Witty disclosed that UnitedHealth paid a $22 million ransom to the hackers, underscoring the significant financial impact of such cyber threats.
Health data as valuable commodity
The overarching lesson from recent cybersecurity breaches, particularly in the healthcare sector, is the critical importance of safeguarding personal data, especially health-related information, on a global scale. Despite the immense value and sensitivity of such data, we continue to witness alarming lapses in cybersecurity practices, posing significant risks to individuals and organizations alike.
As highlighted in previous reporting by TechCrunch, accessing even basic healthcare services through state-funded systems like the NHS often entails granting private companies access to personal data. Whether these entities are billion-dollar corporations or venture-backed startups, such partnerships with the private sector introduce vulnerabilities that malicious actors can exploit.
Despite any assurances or policies in place, these collaborations expand the potential targets for cyberattacks.
In the U.K., the integration of third-party software into healthcare systems is becoming increasingly common, with many family doctor surgeries relying on such platforms for appointment scheduling and triaging.
However, the intricacies of these arrangements are often obscured from patients, making it unclear which entities are actually handling their data. For example, in the case of Patchs Health, a triaging service provider supporting millions of NHS patients, it is revealed that they serve as a data “sub-processor,” with the primary data processor being a private equity-backed company called Advanced.
This complexity increases the attack surface for potential breaches, as demonstrated by Advanced’s prior experience of a ransomware attack resulting in NHS services being offline.
The parallels between the UnitedHealth breach and potential vulnerabilities in the U.K.’s healthcare system are evident. As private companies continue to forge partnerships with the NHS, it becomes imperative to prioritize robust cybersecurity measures to protect patient data from exploitation by cybercriminals.
The Vastaamo data breach in Finland serves as a stark reminder of the risks associated with private partnerships within public healthcare systems, a concern that resonates as the NHS continues its expansion into the private realm. In the Vastaamo case, a significant cybercrime unfolded after a private psychotherapy company, subcontracted by Finland’s public healthcare system, fell victim to a breach orchestrated by hacker Aleksanteri Kivimäki.
Following Vastaamo’s refusal to pay a substantial Bitcoin ransom, Kivimäki attempted to blackmail thousands of patients by threatening to expose their intimate therapy notes.
Subsequent investigations revealed glaring security deficiencies within Vastaamo’s infrastructure. The patient database was shockingly exposed to the open internet, with sensitive data such as contact information, social security numbers, and therapist notes left unencrypted and vulnerable.
A critical vulnerability was identified in the database’s configuration, notably an unprotected MySQL port with an unsecured root user account, enabling unrestricted access from any IP address without the protection of a firewall.
Similarly, concerns have been raised in the U.K. regarding the NHS’s increasing reliance on private entities for data management. Notably, the controversial partnership with Palantir, a big data analytics firm backed by Peter Thiel, drew widespread criticism from doctors and data privacy advocates.
Despite vocal opposition, such collaborations persist, with big companies gaining access to vast troves of sensitive data belonging to millions of individuals. Although promises are made, and assurances given, lapses in basic security practices like setting up multi-factor authentication or implementing robust encryption protocols continue to expose vulnerabilities, leading to catastrophic breaches.