$UNH’s Change Healthcare unit paid a big ransom—its IT was as weak  as  a  kitten.

Not Cute

What’s the craic? Manas Mishra, Mariam Sunny, Christy Santhosh and Sriparna Roy tag-team to tell: Hack at UnitedHealth’s tech unit impacted 100 mln people

“Widespread disruptions”
The February hack at UnitedHealth … affected the personal information of 100  million people, … making it the largest healthcare data breach in the country. … The company began notifying affected patients in June.
…
[It] was breached by a hacking group called ALPHV, also known as “BlackCat.” … The breach caused widespread disruptions in claims processing, impacting patients and providers across the country.

What was stolen? A lot, says Lawrence Abrams: UnitedHealth says data of 100 million stolen

“Admitted to paying a ransom”
Today, the U.S. Department of Health and Human Services Office for Civil Rights data breach portal updated the total number of impacted people to 100  million, making it the first time UnitedHealth, the parent company of Change Healthcare, put an official number to the breach. … A massive amount of sensitive information was stolen during the February ransomware attack, including:
—Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
—Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
—Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
—Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.
…
ALPHV conducted the attack using stolen credentials to breach the company’s Citrix remote access service, which did not have multi-factor authentication enabled. [They] stole 6  TB of data and ultimately encrypted computers on the network, causing the company to shut down IT systems to prevent the spread.
…
UnitedHealth … admitted to paying a ransom [of] allegedly $22  million. [The] ransomware attack caused … $2.45  billion … in losses.

No MFA? Are you serious? Our own Jeffrey Burt dug in earlier: UnitedHealth’s ‘Negligence’

“First cybersecurity job”
UnitedHealth CEO Andrew Witty testified during a Senate Finance Committee hearing May 1 that the organization’s policy was to have MFA for external-facing systems but admitted that the it wasn’t in place companywide at the time of the attack. Testifying before the House Energy and Commerce Committee the same day, Witty said [the] MFA policy didn’t cover all external servers.
…
Finance Committee [head] Senator Ron Wyden (D-OR) [wrote], “The consequences of UHG’s apparent decision to waive its MFA policy for servers running older software are now painfully clear. … UHG’s leadership should have known, long before the incident, that this was a bad idea.”
…
Steven Martin [became] CISO last year. Martin has worked in IT for decades … but never full time in the cybersecurity field. “Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job,” Wyden wrote.

If that’s not bad enough, they paid a huge ransom. bradley13 wants jail time for the C-suite:

First, they got hacked. For a company holding critical data, that’s bad enough. But then they paid ransom, which the criminals just took and ran off with. So they have encouraged and funded future ransomware.
…
Criminal charges: Board, CEO, CIO, all the way down the line. Whoever decided not to invest in security, and especially whoever decided to pay the ransom. … Jail.

What does UnitedHealth have to say for itself? Not a lot. Spokesdroid Tyler Mason spoke thuswise:

We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages.

I had to read that three times. A slightly sarcastic sounding hulitu quotes the unit’s privacy policy:

“Privacy matters to Change Healthcare, so we follow a privacy framework that helps us to manage and protect your personal information in the products and services we provide.”
I guess this speaks for itself.

More meaningless wordsalad. But Bongo’s seen it all before:

A case of critical punctuation: “We take your privacy, seriously.”

Is there anyone who actually, like, likes UnitedHealth? u/Moocao123 doesn’t, but knows people who do:

UNH isn’t a bad company to buy stock, in fact their every move is made to increase shareholder value. They do put shareholders first, and they do make it financially sound to invest into their business. We just have a fundamental problem to their approach: They are neither patient centered nor give physician/provider assistance, and they dictate medical care.

Meanwhile, kevinmershon runs the numbers:

So would this count as one instance or 100 million instances of HIPAA violations? Last I checked the penalty is $50K per violation.

And Finally:

“Some mornings it’s best to stay in bed.”

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: freddie marriage (via Unsplash; leveled and cropped)