Whoops. Your Bad.
One out of every three Americans had their medical records stolen in February in the Change Healthcare data breach. That is over 100 million people.
This is three times the size of the Office of Personnel Management (OPM) data breach in 2015.
Here’s what we know:
- The Change Healthcare portal did not have MFA in place.
- BlackCat hackers leveraged a stolen credential to breach over 100 million Americans’ healthcare records.
- Hackers installed ransomware nine days after initially gaining access.
- Change’s operations were crippled.
Medical practices are still suffering months later, as they were unable to accept reimbursement payments. In many cases, providers dipped into their own pockets to keep their practices running.
Healthcare experts say it’s highly likely practices will close as a result of this incident.
These are the extreme consequences of not prioritizing basic security controls. This isn’t poor planning. It is negligent.
MFA is table stakes.
It is crawling in the crawl-run-walk analogy I use with Identity Security clients several times daily. It is rice cereal (or whatever doesn’t have high levels of arsenic) when you’re starting a baby human on solids.
It is shocking that UnitedHealth Group and Change Healthcare apparently overlooked such an elementary security control. Or (even worse to imagine), they consciously chose not to prioritize it. Change was acquired in 2022 by UnitedHealth. That’s 2 years, and plenty of time to get basic MFA in place. We’ve deployed MFA for similarly sized organizations in under 3 months.
I shudder to think what other security deficiencies lurk behind Change Healthcare’s curtains, though I’m sure these and other scary truths will be brought to light in the coming weeks and months.
Congress isn’t pulling any punches, though the passionate cyber practitioner in me would love a tad more focus on prevention (or the wildly deficient lack thereof). Now is the time to take a hard line here…missed opportunity.
“Your company is the nation’s largest private health insurer and the largest physician employer in the country, earning billions in profits every quarter,” New Jersey Sen. Bob Menendez said. “It’s unacceptable that it took so long to help providers during a crisis of your creating.”
Agreed. I’ll add this: It is also wildly unacceptable (callous even) to neglect basic identity security measures to prevent this illicit activity. You are stewards of the healthcare data of over 100 million people.
One in three Americans. Over 100 million people.
On paying the $22 million in ransom, Mr. Witty remarked, “This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”
While I am sure what Mr. Witty has endured in the last three months has been horrific personally and professionally, I’m left wondering how the decision to pay a $22 million ransom request caused that much consternation when UnitedHealth Group posted revenues of over $300 billion last year. I’m also wondering why basic preventative measures were not employed which would have avoided this.
Who is wishing they had a time machine right now?
$22 million only scratches the surface of the total cost UnitedHealth Group is likely to absorb to clean up this mess. Forbes is reporting the breach cost UnitedHealth $870 in Q1 alone, and projects the total costs of the incident for the year to reach $1.4-1.6 billion. That’s to say nothing of the $6 billion in interest free loans that UnitedHealth Group has extended to medical practices who are facing possible bankruptcy because of this.
What’s the interest on $6 billion?
It’s not often that I use the word ‘should.’ I find it akin to ‘I told you so.’ Both rarely do any good in maintaining a constructive relationship. They convey shame. In this case, I’ll happily make an exception. These controls should have been in place. It is shameful that they were not. Yet, it would seem that basic security was deemed discretionary.
Now, 100 million medical records are floating around in the ether.
Mr. Witty, are you listening? Congress, are you? Most importantly, and because I care passionately about making sure this never happens again, major healthcare systems, are you?
With each new client we encounter, I become less confident that we are doing all we can to protect our healthcare organizations’ data, infrastructure and ability to prioritize patient care. I become more discouraged when we need to promise an ROI whose value is larger than the collective holdings of the Louvre to get a C-Suite leader to sign a check for baseline security investment. I become extremely frustrated when cost is the only factor considered in the decision to implement identity security when there are so many important facets to weigh: expertise, depth, and track record of one’s implementer come immediately to mind.
This stuff isn’t free. Expertise ain’t cheap. But it’s far less expensive than the alternative. And, do we not have a duty to do no harm? That Hippocratic oath rears its pompous head again in an S3 blog post. Sadly, right now it is critical to internalize these words. Do no harm.
It is possible that UnitedHealth will get very little support from their Cyber policy insurer. Recent reporting calls out woefully underinsured organizations as common ($27.3 million is the average amount of uncovered losses per cyber incident) per this source.
There’s also a decent chance UnitedHealth Group will receive no insurance payout as most cyber policies are void in certain circumstances…the first of which is absent or insufficient security protocols (i.e. MFA).
Who suffers most here? Doctors and nurses and other practitioners losing employment because they couldn’t bill and receive payment. Patients who lose their primary care physician when their beloved practice closes. Patients whose claims are denied by UnitedHealth Group because they have to cover that $870 million cost. People who are already struggling to afford health insurance being hit with higher premiums.
All when a sub-$1 million investment in an MFA platform could have prevented this.
Healthcare continues to be a lucrative target for cyber criminals. We have significant data that shows that prevention in the form of good identity security and other cyber defenses are less costly to implement proactively AND highly effective. Yet, the largest insurer in the nation was woefully deficient. Over 100 million Americans risk exposure of their sensitive medical history on the dark web. It was 100% preventable. Sadly, it wasn’t a priority.
We need to take a lesson from old school medical practitioners who advocated for an apple a day keeping the doctor away and approach cyber defense similarly. Prevention in this case, is far less costly than the cure. Cyber, Infosec and Identity security practitioners need to quickly embrace our collective responsibility to right the ship and acknowledge that stewardship of sensitive data carries with it a high bar of expectation. Basically, do the right thing, before something bad happens. At the least, it will keep your name out of the headlines and your butt out of the hot seat on the Hill.