The ransomware attack that has engulfed U.S. health insurance giant UnitedHealth Group and its tech subsidiary Change Healthcare is a data privacy nightmare for millions of U.S. patients, with CEO Andrew Witty confirming this week that it may impact as much as one-third of the country.
But it should also serve as a wake-up call for countries everywhere, including the U.K. where UnitedHealth now plies its trade via the recent acquisition of a company that manages data belonging to millions of NHS (National Health Service) patients.
As one of the largest healthcare companies in the U.S., UnitedHealth is well known domestically, intersecting with every facet of the healthcare industry from insurance and billing and winding all the way through the physician and pharmacy networks — it’s a $500 billion juggernaut, and the 11th largest company globally by revenue. But in the U.K., UnitedHealth is practically unknown, mostly because it’s not had much business across the pond — until six months ago.
After a 16-month regulatory process ending in October, UnitedHealth subsidiary Optum UK, via an affiliate called Bordeaux UK Holdings II Limited, finally took ownership of EMIS Health in a $1.5 billion deal. EMIS Health provides software that connects doctors with patients, allowing them to book appointments, order repeat prescriptions and more. One of these services is Patient Access, which claims some 17 million registered users who collectively made 1.4 million family doctor appointments through the app last year and ordered north of 19 million repeat prescriptions.
There’s nothing to suggest that U.K. patient data is at risk here — these are different subsidiaries, with different setups, under different jurisdictions. But according to his senate testimony on Wednesday, Witty blamed the hack on the fact that since UnitedHealth acquired Change Healthcare in 2022, it hadn’t updated its systems — and within those systems was a server that didn’t have multi-factor authentication (MFA) enabled.
We know that hackers stole health data using “compromised credentials” to access a Change Healthcare Citrix portal which had been intended for employees to access internal networks remotely. Incredibly, Witty said the company was still working to understand why MFA wasn’t enabled, two months after the attack. This doesn’t inspire a great deal of confidence for U.K. healthcare professionals and patients using EMIS Health under the auspices of its new owners.
This isn’t an isolated case.
Separately this week, 25-year-old hacker Aleksanteri Kivimäki was jailed for more than six years for infiltrating a company called Vastaamo in 2020, stealing healthcare data belonging to thousands of Finnish patients and attempting to extort and blackmail both the company and affected patients.
Whether ransom attacks prove successful or not, they are ultimately lucrative — payments to perpetrators reportedly doubled to more than $1 billion in 2023, a record-breaking year by many accounts. During his testimony, Witty confirmed previous reports that UnitedHealth made a $22 million ransom payment to its hackers.
Why are ransomware gangs making so much money?
Health data as valuable commodity
But the biggest takeaway from all this is that personal data — particularly health data — is a huge global commodity, and it should be protected accordingly. However, we keep seeing incredibly poor cybersecurity hygiene, which should be a concern for everyone.
As TechCrunch wrote a couple of months back, it’s getting increasingly difficult to access even the most basic form of healthcare on the state-funded NHS without agreeing to give private companies access to your data — whether that’s a billion-dollar multinational, or a venture-backed startup.
There might be legitimate operational and practical reasons why working with the private sector makes sense, but the reality is such partnerships increase the attack surface that bad actors can target — regardless of whatever obligations, policies and promises a company might have in place.
Want to see an NHS doctor? Prepare to cough up your data first.
Many U.K. family doctor surgeries now require patients to use third-party triaging software to make appointments, and unless you peruse the fine print of the privacy policies with a fine-toothed comb, it’s often not clear who the patient is actually doing business with.
Digging into the privacy policy of one triaging service provider called Patchs Health, which says it supports over 10 million patients across the NHS, reveals that it is merely the data “sub-processor” responsible for developing and maintaining the software. The main data processor contracted to deliver the service is actually a private equity-backed company called Advanced, which was hit by a ransomware attack two years ago, forcing NHS services offline. Similar to the UnitedHealth attack, legitimate credentials were used to access a Citrix server.
You don’t have to squint to see the parallels between what has happened with UnitedHealth and what could happen in the U.K. with the myriad private companies striking partnerships with the NHS.
Finland also serves as a prescient reminder as the NHS creeps deeper into the private realm. Dubbed one of the country’s biggest ever crimes, the Vastaamo data breach came about after a now-defunct private psychotherapy company was sub-contracted by Finland’s public healthcare system. Aleksanteri Kivimäki infiltrated an insecure Vastaamo database, and after Vastaamo refused to pay a reported €450,000 Bitcoin ransom, Kivimäki attempted to blackmail thousands of patients, threatening to release intimate therapy notes.
In the investigation that followed, Vastaamo was found to have wholly inadequate security processes in place. Its patient database was exposed to the open internet, including unencrypted sensitive data such as contact information, social security numbers and therapist notes. The Finnish data protection ombudsman noted that the most likely cause for the breach was an “unprotected MySQL port in the database,” where the root user account wasn’t password protected. This account enabled unbridled database access from any IP address, and the server had no firewall in place.
In the U.K., there have been well-vocalized concerns around how the NHS is opening access to data. The most high-profile partnership came just last year, when Peter Thiel-backed big data analytics company Palantir was awarded massive contracts by NHS England to help it transition to a new Federated Data Platform (FDP) — much to the chagrin of doctors and data privacy advocates across the country.
It all seems somewhat inevitable though. Privacy advocates shout and scream, but big companies with lots of cash keep getting the keys to sensitive data belonging to millions of people. Promises are made, assurances given, processes implemented — then someone forgets to set up basic MFA, or they leave an encryption key under the doormat, and everything blows up.
Rinse and repeat.