Topics
late
AI
Amazon
Image Credits:SOPA Images / Contributor / Getty Images
Apps
Biotech & Health
Climate
Cloud Computing
Commerce Department
Crypto
endeavor
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
ironware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
surety
societal
quad
startup
TikTok
Transportation
Venture
More from TechCrunch
event
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
Ransomware gangs are cashing in, but we keep entrusting sensitive data to irresponsible companies
Theransomware attackthat hasengulfedU.S. wellness insurance giantUnitedHealth Groupand its tech subsidiaryChange Healthcareis a information privacy incubus for millions of U.S. patients , with CEO Andrew Witty substantiate this week that itmay bear on as much as one - thirdof the country .
But it should also serve as a wake - up call for area everywhere , including the U.K. where UnitedHealth now plies its trade via the recent attainment of a ship’s company that manage data belonging to million of NHS ( National Health Service ) patient .
As one of thelargest health care caller in the U.S. , UnitedHealth is well roll in the hay domestically , intersecting with every aspect of the health care industry from insurance and billing and wander all the fashion through the physician and pharmacy web — it ’s a $ 500 billion Jagannath , and the 11th largest company globallyby revenue . But in the U.K. , UnitedHealth is practically unknown , mostly because it ’s not had much business across the pool — until six months ago .
After a16 - month regulative processending in October , UnitedHealth subsidiary Optum UK , via an affiliate called Bordeaux UK Holdings II Limited , finallytook possession of EMIS Health in a $ 1.5 billion deal . EMIS Health provides software package that connects doctors with patient , allowing them to book appointment , order repeat prescriptions and more . One of these services isPatient Access , whichclaimssome 17 million register users who collectively made 1.4 million family MD appointments through the app last class and consecrate north of 19 million repeat prescription .
There ’s nothing to suggest that U.K. patient data point is at risk here — these are different subsidiaries , with different setups , under different jurisdictions . But according to his senate testimony on Wednesday , Witty blamed the hack on the fact that since UnitedHealthacquired Change Healthcare in 2022 , it had n’t update its systems — and within those systems was a server thatdidn’t have multi - factor authentication(MFA ) enabled .
We screw that hackers stole health data using “ compromise credentials ” to get at a Change Healthcare Citrix portal which had been intended for employee to access internal networks remotely . Incredibly , Witty say the company was still working to infer why MFA was n’t enable , two month after the flack . This does n’t cheer a large deal of confidence for U.K. health care professionals and affected role using EMIS Health under the auspices of its newfangled owners .
This is n’t an set-apart case .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
Separately this week , 25 - year - old hacker Aleksanteri Kivimäkiwas put away for more than six yearsfor infiltrating a company called Vastaamo in 2020 , steal healthcare data go to thousands of Finnish patients and attempting to rack and pressure both the company and unnatural patients .
Whether ransom money attacks prove successful or not , they are at long last lucrative — payments to culprit reportedly doubled to more than $ 1 billion in 2023 , a record - relegate year by many accounts . During his testimony , Wittyconfirmedprevious reports that UnitedHealth made a $ 22 million ransom money payment to its cyberpunk .
Why are ransomware gangs take so much money ?
Health data as valuable commodity
But the biggest takeaway from all this is that personal data — particularly health datum — is a vast spheric commodity , and it should be protected accordingly . However , we keep seeing incredibly inadequate cybersecurity hygienics , which should be a business for everyone .
As TechCrunchwrote a couple of months back , it ’s get increasingly hard to access even the most basic mannikin of healthcare on the country - funded NHS without agreeing to give private companies access to your datum — whether that ’s a billion - dollar multinational , or a venture - backed inauguration .
There might be logical operational and practical reasons why exercise with the private sector pass water sense , but the realness is such partnership increase the approach surface that bad doer can aim — regardless of whatever obligations , policies and prognosticate a ship’s company might have in place .
need to see an NHS physician ? get up to cough up your datum first .
Many U.K. category medico operation now ask patients to habituate third - party triaging software program to make appointments , and unless you peruse the all right print of the privacy policies with a amercement - toothed cockscomb , it ’s often not clear who the patient is actually doing business with .
Digging into theprivacy policyof one triaging table service supplier calledPatchs Health , which says it substantiate over 10 million patients across the NHS , uncover that it is merely the data “ sub - processor ” creditworthy for acquire and maintaining the software . The main data mainframe contracted to save the overhaul is actually aprivate fairness - backedcompany calledAdvanced , which washit by a ransomware attacktwo years ago , force NHS service offline . Similar to the UnitedHealth attack , logical credentials were used to access a Citrix host .
You do n’t have to squinch to see the parallel between what has happened with UnitedHealth and what could materialize in the U.K. with the myriad private companies scratch partnerships with the NHS .
Finland also serves as a prescient reminder as the NHS cringe deeper into the individual kingdom . Dubbed one ofthe country ’s biggest ever crimes , the Vastaamo data falling out came about after a now - defunct secret psychotherapy ship’s company was sub - contracted by Finland ’s public healthcare system . Aleksanteri Kivimäki infiltrate an insecure Vastaamo database , and after Vastaamo resist to give a reported € 450,000 Bitcoin ransom , Kivimäki assay to pressure thousand of patient , threatening to release informal therapy government note .
In the investigation that follow , Vastaamo was found to have wholly inadequate security processes in spot . Its patient database was exposed to the overt internet , include unencrypted sore data such as inter-group communication information , social surety numbers and therapist notes . The Finnish information shelter ombudsmannoted thatthe most potential drive for the severance was an “ unprotected MySQL port in the database , ” where the root drug user account was n’t password protect . This account enable unbridled database access from any IP speech , and the server had no firewall in place .
In the U.K. , there have been well - vocalized concerns around how the NHS is opening access to data . The most high - visibility partnership came just last yr , when Peter Thiel - gage vainglorious data analytics troupe Palantir wasawarded monolithic contractsby NHS England to aid it transition to a fresh Federated Data Platform ( FDP ) — much to thechagrin of doctor and data point privacy advocatesacross the country .
It all seems somewhat inevitable though . seclusion advocates cry and scream , but big company with lots of hard currency keep get the key to sensitive data belonging to 1000000 of the great unwashed . promise are made , assurance turn over , processes implemented — then someone draw a blank to set up basic MFA , or they leave an encoding key under the wuss , and everything burn out up .
rinse off and repetition .
