UnitedHealth Case | $2 Billion Data Breach

UnitedHealth Group Incorporated is an American multinational health insurance and services company that not only holds the record as the largest healthcare company by revenue but also as the source of the largest known digital theft of U.S. medical records. UnitedHealth Group (UHG) reported earnings of $20.64 billion in 2022, with an annual revenue of $324.16 billion — figures that continued to grow each year. However, with a recent ransomware attack, UHG has already lost USD $2 billion this year, in restoring compromised systems.

On top of that, UHG is facing five federal lawsuits due to its failure to protect personal information. The stolen records include names, addresses, dates of birth, phone numbers, email addresses, and government identity documents such as Social Security numbers, driver’s license numbers, and passport numbers. Additionally, health data — including diagnoses, medications, test results — and financial and banking information were compromised.

Ransomware Attack

The February ransomware attack on Change Healthcare resulted in the theft of private health information for over 100 million individuals, marking it as the largest known digital theft of U.S. medical records. The attack caused months of unprecedented outages and disruptions across the U.S. healthcare sector, and the consequences of this breach are expected to be long-term impacting millions of individuals.

Even though UHG has paid a fee to the Ransom Group, which was USD $22 million, there is no evidence that cybercriminals subsequently deleted the data. Moreover, that money was not shared among the hackers, which resulted in a newly formed group that used previously stolen data to demand a second ransom from UnitedHealth Group and even published some of the files online to show their seriousness.

Sequence of the Attack

February 2024

• February 21: Optum has reported a tremendous breach of its IT systems, subsequently impacting its ability to fill prescriptions. More than 100 Change Healthcare services were affected by the breach.

• February 26: Ransomware group BlackCat claims responsibility for the attack.

• February 28: SC Magazine reported that the attack stemmed from LockBit ransomware, which exploited vulnerabilities in ConnectWise ScreenConnect. However, ConnectWise denied any direct connection to Change Healthcare, citing a lack of customer or partner reports linking its software to the breach.

• February 29: Healthcare providers across the U.S. faced significant financial strain due to the week-long outage caused by the ransomware attack. Smaller providers reported cash flow issues, struggling to receive payments from UnitedHealth.

March 2024

• March 1: UnitedHealth Group confirmed that the cyberattack on its tech subsidiary, Change Healthcare, was carried out by the BlackCat ransomware group.

• March 3: BlackCat reportedly received a $22 million Bitcoin payment as part of the ransom.

• March 6: UnitedHealth faced five federal lawsuits stemming from the ransomware attack.

• March 7: Change Healthcare’s electronic prescription system was fully restored for processing claims and payments.

• March 13: The company’s pharmacy network was brought back online, signaling progress in recovery efforts.

April 2024

• April 22: UHG announced that the ransomware attack on its Change Healthcare unit in February 204 cost them USD$827 million in the first quarter. However, they expect the total damage of 2024 to be between USD$1.35 billion and USD$1.6 billion.

• April 25: UnitedHealth confirmed that they paid a ransom to the hackers behind the attack, and the group Mt. Witty took responsibility for it. Which resulted in obtaining a copy of the stolen dataset, UHG was able to identify and notify the affected individuals whose information was found in the data.

May 2024

• May 3: UHG CEO Andrew Witty told the U.S. House Energy and Commerce Committee that hackers used stolen login credentials to access a remote tool on their network, which did not have multi-factor authentication (MFA), that made it easier for the hackers to break in.

October 2024

• October 15: Change Healthcare clearinghouse services are now restored and the repayment phase of the Temporary Funding Assistance Program is in process. As of October 15, recipients of program funding have repaid $3.2B.

Financial and Operational Impact

On the financial side, UnitedHealth has originally estimated the ransomware attack to cost between USD$1 billion to USD$1.2 billion, the figure has soared to over USD$2 billion, citing the need to pay “financial support initiatives and consumer notification costs”, which includes funding and offering loans to affected hospitals and pharmacies.

Moreover, in the second quarter alone, UHG incurred USD$1.1 billion in unfavorable cyberattack effects and several class-action lawsuits have been filed against UHG for failing to protect patient data, so the ransomware attack's costs to the company could continue to grow.

From an operational standpoint, the ransomware attack had a profound impact on UnitedHealth Group’s ability to maintain normal business operations. The breach affected Change Healthcare’s services, which led to delays in processing prescriptions and payments.

Over 100 services were impacted, forcing an insurance provider to take some offline for about a month, severely disrupting the company's operational capacity. Optum, in its efforts to restore functionality, prioritized careful recovery processes to avoid further risks, demonstrating a commitment to long-term stability over quick fixes.

Despite the challenges, by March 7, Change Healthcare’s electronic prescription system was fully restored, allowing normal operations to resume.

Cybersecurity Solutions that Could Have Helped

Zero Trust Network Architecture

It is an approach in cybersecurity that assumes that no one inside or outside your network can be trusted by default. Therefore, instead of granting broad access to systems or data, ZTNA ensures every user, device, and application is verified before being permitted access.

• Network Segmentation

  is an action where you divide a network into smaller, isolated sections to limit access. For instance, if one part of the network is hacked, the attacker cannot easily move to other sections.

• Multi-Factor Authentication (MFA)

  is another key element of Zero Trust, which requires users to prove their identity in multiple ways. This extra layer of security ensures that even if a password is stolen, attackers still cannot access the system.

  
  

Patching and Updating Systems

With the rapid development of new technologies and the continuous growth of applications and software, the likelihood of discovering flaws increases. New vulnerabilities are disclosed every day, making it essential to maintain up-to-date software—not only on critical infrastructure but across all systems.

Antivirus and Anti-Malware Solutions

Installing and maintaining reputable antivirus and anti-malware software is a critical step in defending against malicious attacks. These tools work by detecting, isolating, and preventing malware before it can execute on your systems.

Access Controls

Restricting user access rights to files, directories, and systems is a fundamental security measure that can significantly reduce the impact of ransomware attacks. Access should be granted based on the specific needs of each user’s role, following the principle of least privilege.

How Cytopus can help your business against Ransomware Attack

We can help your business protect against ransomware attacks in the following ways:

• Security Assessments: Review your IT infrastructure to identify vulnerabilities and recommend improvements to prevent ransomware breaches.

• Cybersecurity Training: Provide training for your employees to recognize phishing attempts and secure sensitive information.

• Incident Handling Readiness: Assess your company's preparedness to effectively manage and respond to ransomware incidents.

• Compliance Audits: Ensure your business meets relevant cybersecurity standards and regulations (e.g., CRA, DORA) to strengthen defenses against ransomware.

• Post-Incident Investigation: Conduct thorough investigations after an attack to identify weaknesses and prevent future incidents.