UnitedHealth says data of 100M stolen in Change Healthcare hack
22 comments
·October 25, 2024mlsu
Hilift
This is one of those companies that has middleware or back office apps that are common to many health care providers. Many different markets have their own unique apps or places where data can accumulate. I remember when paper checks were still used, a small number of companies existed to receive and catalog checks and update the accounts accordingly. I visited some, and they looked like they were spun off from bank(s) to unload the cost of what was going to be a disappearing operation. Really bare bones, disarray, and access to a lot of interesting data. Another app I found interesting was for closing mortgages. There aren't many of those, and the ones that did exist were in a lot of places and were a complete shambles, data everywhere, written in early 2000's.
"Change Healthcare Inc. (known as Emdeon before rebranding in 2015, which followed its acquisition of Change Healthcare) is a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system. The name also refers to a company founded in 2007 which subsequently became part of the current conglomerate." https://en.wikipedia.org/wiki/Change_Healthcare
kmeisthax
Part of the neoliberal consensus that replaced progressive liberalism in the 1970s and 80s is a revisionist reframing of antitrust law in which all monopolies are judged solely by the yardstick of consumer welfare. Problem is, very few monopolies actually harm consumer welfare. Bigger businesses are able to deliver lower prices - at least initially - because they suck the redundancy out of the market. Ergo, consolidation is good actually and antitrust is self-defeating.
Of course, those prices will creep up eventually, once the causal link between the consolidation and the market power has been sufficiently obscured. Look at "inflation" - every business was able to blame "supply chain issues" (that they caused by removing redundancies) during COVID to extract unthinkable price increases out of the public. Because every business has only two or three real competitors, all of whom have extreme levels of class discipline and will agree to lie their asses off to the public.
This level of consolidation was allowed because your politicians stabbed you in the back in the name of the """free""" market.
sofixa
> Look at "inflation" - every business was able to blame "supply chain issues" (that they caused by removing redundancies) during COVID to extract unthinkable price increases out of the public.
Are you implying there were no supply chain difficulties? China wasn't under heavy lockdown for months on end? There weren't ports with months of backlog? Factories weren't closed due to lockdowns or outbreaks all around the world? That civilian aviation ground to almost a complete halt for a few months, and the cargo it used to carry now didn't need to find an alternative route?
Anyone trying to pin a singular reason for the inflation spikes after Covid is at best misinformed and arguing in bad faith. Covid wrecked supply chains, Russia's invasion of Ukraine wrecked a number of important raw materials' markets (oil, gas, nickel, grain, etc), the Houthis' shenanigans impacted the Suez Canal, droughts impacted the Panama canal. Sprinkle a heavy dose corporate greed and voilà, inflation.
pickledoyster
"The biggest study of ‘greedflation’ yet looked at 1,300 corporations to find many of them were lying to you about inflation" – https://fortune.com/europe/2023/12/08/greedflation-study/
Rafuino
My kid had their first data breach at 2 months old due to a healthcare company we've never heard of having their data and losing it to hackers. This whole industry needs to be burned to the ground.
kevinmershon
So would this count as 1 instance or 100M instances of HIPAA violations? Last I checked the penalty is $50k per violation...
whoitwas
Seriously. From what I've learned United needs the axe more than many corporations. Somewhere below Nestle, but above BP maybe?
oefrha
It’s *up to* 50k per violation. Like most large scale violations of anything, it’s effectively “we’ll fine whatever we want”.
nashashmi
First it would have to be proven that data is leaked. Each proven leak is worth $50k. Mass leak is a compromise of data security. And that comes under a different classification.
Evidlo
Are they obligated to notify specific customers? How can I know if my data was in the hack?
prasadjoglekar
I got a mailer that states this.
At first, I didn't even know who Change was - they're well in the bowels of the stack.
Usual free credit monitoring etc.
null
mrbluecoat
> an expected $2.45 billion
Am I reading that ransom payout correctly? Or are "losses" divided among other things?
azinman2
At what point can we sue, especially if basic security practices like 2FA are not enabled?
hulitu
> At what point can we sue, especially if basic security practices like 2FA are not enabled?
And if they are enabled ? Do you think this will make any difference ? We have, at work (Microsoft) 2FA enabled with Windows Hello. At setup it wanted to set a numeric pin. That's all. It asks from time to time about the second factor (Microsoft Authenticator) and that's all.
spoonfeeder006
I always wonder that maybe someone can convince these health companies, clinics, etc... to start using Qubes OS for their network connected office computers. Maybe that could prevent a sizeable number of these ransomware attacks?
TLDR Qubes OS is a security focused operating system that is geared towards end users. It relies on isolation via the Xen hypervisor (has much less privileged code than Linux, Windows, or Mac kernels), and uses hardware based virtualization features of the CPU as well. E.g. it prevents a compromised network card from accessing the memory of a trusted virtual machine through DMA attacks as an example
And ultimately it incorporates this isolation into a seamless user interface as well
I'm guessing the primary feature that would protect against ransomware is that it allows on to open suspicious links in disposable VMs
sofixa
With the move of most enterprise software to web interfaces, this could be realistic for some organisation. Others, especially in healthcare, will have odd legacy thick clients developed in obscure languages decades ago that nobody wants to port.
hsbauauvhabzb
Has there been any organisation to successfully roll this out, ever?
It’s great for security, but useless from a productivity standpoint.
hulitu
> UnitedHealth says data of 100M stolen in Change Healthcare hack
"Privacy matters to Change Healthcare, so we follow a privacy framework that helps us to manage and protect your personal information in the products and services we provide."
I guess this speaks for itself. /s
albert_e
[flagged]
AStonesThrow
Definitely: all the other text in that image is AI-garbled. You can also tell, because the company name is not correctly stylized, nor is the correct font used, nor is their logo visible here. This is just a 100% fake AI building with some low-effort text slapped on afterwards.
Why did they not actually bother to use a photograph of UHC's building? What did you expect from a site called "bleepingcomputer dot com"?
I really don't understand how this level of consolidation has been allowed in the healthcare market. I was affected by this, couldn't get prescriptions filled for 4 days. Turns out I'm not alone -- 100m people? That's 1/3rd of America's population!
There is no competition in the marketplace. We need to either nationalize them or break them up. These ransomware groups are small-time compared to a nation-state adversary in wartime. At this point it's a national security issue.