UnitedHealth Admits Breach Could Cover Substantial Portion of US Population
The Change Health / UnitedHealth Group breach continues to evolve and get worse.
UnitedHealth is suggesting that the hackers may have accessed health data for “a very large number of people in the United States.
Fundamentally, this is a worst case scenario for what happens when data moves from paper to bits and when those bits get aggregated.
When your doctor had paper files there was only a limited amount of damage that could be done, even if every single one of a single doctor’s files was compromised.
UnitedHealth says that as a result of the breach, which began in February, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.
That is a very roundabout way of saying maybe yes, maybe no.
They say, at this point, the don’t know how many people’s data was stolen or what was stolen. They say it will take them months to figure out enough information to even start notifying people.
While a ransom was paid, the first hackers took the money and ran and did not share it with the people who did the hacking. They were demanding a second ransom and it is unclear if that was paid. That hacking group, RansomHub, recently released some information that is thought to be patient data as an incentive to obtain a second ransom.
UnitedHealth said the bill for this attack is currently estimated to be $870 million just for the first quarter and could be as much as $1.6 billion for the year. That doesn’t estimate the numbers for future years.
On the other hand, the hackers might be greedy enough to sell the data.
The company is admitting that both personally identifiable information and protected health information was likely stolen.
They have set up a call center to offer free credit monitoring and identity theft protection to anyone who thinks they were impacted. They are not even waiting to figure out who to offer it to.
On top of this, they are still working to restore their systems.
Change Healthcare processes about half of all medical claims in the US for 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories! They process 15 billion transactions a year and touches “1 in 3 patients in the U.S.
Remember that while credit cards expire or can be cancelled, you can’t change your blood type or medical history. There is really no way to know what the hackers plans are or how long they are going to wait before they do something.
While I am not worried about UnitedHealth Group – they had 2023 revenue of $371 billion – I am worried about those folks in red above.
There is nothing in the law to protect them and since the contract for services is between David and Goliath, it is unlikely that their contract protects them.
What we can only hope is the the U.S. Attorney General threatens UHG and its executives with some very unpleasant outcomes if they don’t handle this in a way that protects the small operations.
Right now it is not even clear who is going to sue whom. I do think that class action attorneys will come to these small companies to go after UHG. It is not clear if there is a mandatory arbitration agreement and even a requirement for individual arbitration in those contracts. Could those be struck down in this case? Could the 50 states Attorneys General go after United? That last option is pretty likely, I think.
From a consumer standpoint, watch your bank accounts, credit cards and insurance. Report things immediately. If you do that, your liability is likely zero.
If you are a customer of UHG, that is going to be harder. You likely need to consult an attorney to understand your options.
As we continue to say, third party breaches are where the action is today; if we can help with your third party risk management program, please contact us.
Credit: