A Year Later, What Have We Learned From UnitedHealth?
Table Of Contents:
Last month, health insurance giant UnitedHealth Group (UHG) almost doubled the number of victims it originally estimated following last year’s data breach. In October, the company had said that 100m were affected by the ransomware attack. In January, it grew to 190m. This seems like a good time to ask the question: what have we learned?
Revisiting The UHG Breach
The ALPHV/BlackCat ransomware group stole the data from UHG subsidiary Change Healthcare on February 21 2024. The Russia-linked gang had already warned that it would target companies in the healthcare sector after the Department of Justice disrupted its operations the previous December.
According to Change Healthcare’s breach advisory page, the stolen PII included names, addresses, dates of birth, phone numbers, and email addresses. Other information included health insurance data, including member/group ID numbers and Medicaid/Medicare ID numbers.
The cybercriminals also exfiltrated personal health data, including medical record numbers, diagnoses, medicines, test results, and images, along with care and treatment information. Finally, the ransomware gang pilfered billing and claims data, including claim numbers, account numbers, billing codes, payments made, and balances due.
Thankfully, Change Healthcare said that social security numbers and bank account details were not in the trove of stolen information.
How And Why Did It Happen?
Reporting revealed that the attackers had gained access to a Change Healthcare Citrix portal that enabled remote access to desktops on February 12, using compromised credentials. The portal was not protected by multi-factor authentication (MFA).
According to Congressional testimony from CEO Andrew Witty last May, the intruders moved laterally through the company’s system, gaining access to multiple areas—including its Active Directory server—and exfiltrating the data. Witty also admitted to paying a $22m ransom to the criminal gang.
Dealing With The Breach
UHG said that it rebuilt the Change Healthcare technology infrastructure from scratch to get it operating again securely, and it also provided billions in financial aid to those whose healthcare was disrupted by the attack. Witty explained that it also enlisted third parties, including Mandiant and Palo Alto Networks, to reinforce its internal security scans with their own and has also bought Mandiant in as a board advisor.
What Can We Learn From The Breach?
Senator Ron Wyden outlined what he thought should have been done better in a letter to the Federal Trade Commission and the Securities and Exchange Commission a month after the Congressional hearings. He outlined several issues.
Why wasn’t the MFA system implemented? Witty’s defense is that Change Healthcare – which UHG acquired in late 2022 – was littered with fragmented legacy systems, and that it was taking time to bring them into line with UHG’s internal security policies. The company allowed for other compensatory security controls where systems were not yet up to scratch. Clearly, those were not enough.
“The consequences of UHG’s apparent decision to waive its MFA policy for servers running older software are now painfully clear,” said Wyden. “But UHG’s leadership should have known, long before the incident, that this was a bad idea.”
Wyden’s other concerns focus on the attackers’ ability to move so easily throughout the rest of the organization. When someone leaps from a desktop access portal to get privileged access to a company’s Active Directory server, something is amiss. It suggests a lack of some core principles involved in zero-trust approaches, such as micro-segmentation and ubiquitous identity and access management controls through the entire system, rather than just locks on external-facing assets.
Wyden also took UHG to task for a lack of business continuity. “In his House testimony, Mr. Witty revealed that the company was able to restore its cloud-based systems in a matter of days. But, Mr. Witty added, many of the company’s key systems had not yet been engineered to run in the cloud,” the letter said. “Instead, these services ran on the company’s own servers, which took far longer to restore”.
Cybersecurity Is Not The Only Problem
These are basic cyber governance principles that should surprise no one – least of all those signing the cybersecurity checks at UHG. But another is more damning; UHG knew full well that it would be aggregating serious amounts of sensitive data when it acquired Change Healthcare.
In February 2022, the DoJ sued UHG to try and stop it from acquiring Change Healthcare.
“The proposed transaction threatens an inflection point in the health care industry by giving United control of a critical data highway through which about half of all Americans’ health insurance claims pass each year,” said Principal Deputy Assistant Attorney General Doha Mekki of the Justice Department’s Antitrust Division. This was an antitrust complaint, but the concerns over data aggregation seem especially prescient now.
In spite of this, the company didn’t move quickly enough to protect that data—and it wasn’t for lack of funds. In 2023, the year following its acquisition of Change Healthcare, UHG made its highest-ever profit—$22.4 bn in net income—on revenues of $371.6bn.
While we don’t have a percentage figure for the insurance giant’s security budget, more of that money should presumably have gone to replacing Change Healthcare’s honeycomb of legacy systems for better security and resilience.
The UHG breach stemmed from well-understood technical missteps, but the overriding reason is the most cliched of all: those at the tiller of the largest healthcare company in the US simply had other priorities.
