SecureWorld News

UnitedHealth Confirms 100 Million Affected in Change Healthcare Breach

Written by Drew Todd | Mon | Oct 28, 2024 | 10:40 PM Z

UnitedHealth Group recently confirmed that a ransomware attack on subsidiary Change Healthcare has compromised the personal information and healthcare data of more than 100 million individuals. 

The attackers accessed and exfiltrated vast amounts of personal and medical information, exploiting vulnerabilities to maximize the damage. UnitedHealth, one of the largest health insurers in the United States, had to undertake a lengthy investigation to confirm the scope of the breach, and its findings emphasize the need for agile security operations that can respond quickly to contain threats and protect data.

In its guidelines on handling data breaches in healthcare, the U.S. Department of Health and Human Services (HHS) states:

"The protection of patient information is fundamental to maintaining trust in the healthcare system. Organizations that experience breaches should notify affected individuals as quickly as possible and take steps to mitigate further exposure."

The HHS response reflects a widespread industry expectation that breaches are disclosed promptly and protected with robust protections to prevent further exploitation. However, as this breach demonstrates, healthcare organizations often struggle to balance regulatory compliance with operational agility, which is essential for faster incident responses.

Dan Ortega, Security Strategist at Anomali, discusses UnitedHealth's timeline for confirming the breach, saying:

"The confirmation cycle for UnitedHealth is within the standard range for a regulated organization. UnitedHealth is a very large, very complex entity from a systems point of view, and the regulatory framework is equally large and complex. However, this doesn't mean that it's acceptable from an operational efficiency or public safety standpoint. In an environment where threat actors move at machine speed, it's going to be important to balance regulatory compliance with operational agility."

Ortega suggests that if large enterprises prioritize optimizing their security workflows, this could drive vendors to develop more effective tools, setting a higher security benchmark across industries. Such a shift, he adds, would protect not only critical infrastructure but also personal data, fostering public trust.

From a governance standpoint, Agnidipta Sarkar, Vice President of CISO Advisory at ColorTokens, emphasizes the critical role of regulatory frameworks. In his view, prolonged breach response times often indicate inadequate data governance and limited internal controls. Sarkar said:

"Very long durations to determine the extent of a breach does indicate lower standards of data governance and lack of internal control. This is also due to lack of regulatory control and oversight on hospital data. The good thing is that the affected parties have been notified. Similar incidents in Europe have been reduced ever since the onset of GDPR. Maybe the healthcare industry needs a similar regulation."

Sarkar points out that data privacy regulations like GDPR in Europe have set a strong precedent for managing personal data more responsibly, suggesting that comparable regulatory measures in the U.S. could prompt healthcare organizations to improve both security and data governance.

Darren Guccione, CEO and Co-Founder of Keeper Security, addresses the complex nature of large-scale breach investigations, which often extend over many months. In his view, organizations must implement proactive measures to protect individuals before such extended breaches can be fully resolved. Guccione said:

"Breaches of this nature highlight the importance of staying vigilant. By the time an organization confirms the breach—sometimes months after it occurred—attackers may have already acted on the exposed information. That's why proactive measures like following cybersecurity best practices and regularly checking for exposed credentials on the dark web can be essential. A dark web scanning tool can alert victims in real time that their information has been compromised, so they can take action before a cybercriminal strikes."

Guccione also underscores the importance of multi-factor authentication (MFA) as a safeguard for individual accounts, even in a credential leak. His remarks highlight the benefits of proactive cybersecurity, significantly when investigations and response timelines extend for months.

As threat actors become more sophisticated, healthcare organizations and insurers like UnitedHealth face the challenge of evolving their security protocols to ensure the safety of sensitive data. Adopting an agile security approach, strengthening regulatory frameworks, and promoting proactive monitoring tools are essential to building a resilient healthcare system that prioritizes public trust and data protection.

Follow SecureWorld News fore more stories related to cybersecurity.