Featured Article

UnitedHealth data breach should be a wake-up call for the UK and NHS

Ransomware gangs are cashing in, but we keep entrusting sensitive data to irresponsible companies

Comment

UnitedHealth Group Inc logo seen displayed on a tablet.
Image Credits: SOPA Images / Contributor / Getty Images

The ransomware attack that has engulfed U.S. health insurance giant UnitedHealth Group and its tech subsidiary Change Healthcare is a data privacy nightmare for millions of U.S. patients, with CEO Andrew Witty confirming this week that it may impact as much as one-third of the country.

But it should also serve as a wake-up call for countries everywhere, including the U.K. where UnitedHealth now plies its trade via the recent acquisition of a company that manages data belonging to millions of NHS (National Health Service) patients.

As one of the largest healthcare companies in the U.S., UnitedHealth is well known domestically, intersecting with every facet of the healthcare industry from insurance and billing and winding all the way through the physician and pharmacy networks — it’s a $500 billion juggernaut, and the 11th largest company globally by revenue. But in the U.K., UnitedHealth is practically unknown, mostly because it’s not had much business across the pond — until six months ago.

After a 16-month regulatory process ending in October, UnitedHealth subsidiary Optum UK, via an affiliate called Bordeaux UK Holdings II Limited, finally took ownership of EMIS Health in a $1.5 billion deal. EMIS Health provides software that connects doctors with patients, allowing them to book appointments, order repeat prescriptions and more. One of these services is Patient Access, which claims some 17 million registered users who collectively made 1.4 million family doctor appointments through the app last year and ordered north of 19 million repeat prescriptions.

There’s nothing to suggest that U.K. patient data is at risk here — these are different subsidiaries, with different setups, under different jurisdictions. But according to his senate testimony on Wednesday, Witty blamed the hack on the fact that since UnitedHealth acquired Change Healthcare in 2022, it hadn’t updated its systems — and within those systems was a server that didn’t have multi-factor authentication (MFA) enabled.

We know that hackers stole health data using “compromised credentials” to access a Change Healthcare Citrix portal which had been intended for employees to access internal networks remotely. Incredibly, Witty said the company was still working to understand why MFA wasn’t enabled, two months after the attack. This doesn’t inspire a great deal of confidence for U.K. healthcare professionals and patients using EMIS Health under the auspices of its new owners.

This isn’t an isolated case.

Separately this week, 25-year-old hacker Aleksanteri Kivimäki was jailed for more than six years for infiltrating a company called Vastaamo in 2020, stealing healthcare data belonging to thousands of Finnish patients and attempting to extort and blackmail both the company and affected patients.

Whether ransom attacks prove successful or not, they are ultimately lucrative — payments to perpetrators reportedly doubled to more than $1 billion in 2023, a record-breaking year by many accounts. During his testimony, Witty confirmed previous reports that UnitedHealth made a $22 million ransom payment to its hackers.

Why are ransomware gangs making so much money?

Health data as valuable commodity

But the biggest takeaway from all this is that personal data — particularly health data — is a huge global commodity, and it should be protected accordingly. However, we keep seeing incredibly poor cybersecurity hygiene, which should be a concern for everyone.

As TechCrunch wrote a couple of months back, it’s getting increasingly difficult to access even the most basic form of healthcare on the state-funded NHS without agreeing to give private companies access to your data — whether that’s a billion-dollar multinational, or a venture-backed startup.

There might be legitimate operational and practical reasons why working with the private sector makes sense, but the reality is such partnerships increase the attack surface that bad actors can target — regardless of whatever obligations, policies and promises a company might have in place.

Want to see an NHS doctor? Prepare to cough up your data first.

Many U.K. family doctor surgeries now require patients to use third-party triaging software to make appointments, and unless you peruse the fine print of the privacy policies with a fine-toothed comb, it’s often not clear who the patient is actually doing business with.

Digging into the privacy policy of one triaging service provider called Patchs Health, which says it supports over 10 million patients across the NHS, reveals that it is merely the data “sub-processor” responsible for developing and maintaining the software. The main data processor contracted to deliver the service is actually a private equity-backed company called Advanced, which was hit by a ransomware attack two years ago, forcing NHS services offline. Similar to the UnitedHealth attack, legitimate credentials were used to access a Citrix server.

You don’t have to squint to see the parallels between what has happened with UnitedHealth and what could happen in the U.K. with the myriad private companies striking partnerships with the NHS.

Finland also serves as a prescient reminder as the NHS creeps deeper into the private realm. Dubbed one of the country’s biggest ever crimes, the Vastaamo data breach came about after a now-defunct private psychotherapy company was sub-contracted by Finland’s public healthcare system. Aleksanteri Kivimäki infiltrated an insecure Vastaamo database, and after Vastaamo refused to pay a reported €450,000 Bitcoin ransom, Kivimäki attempted to blackmail thousands of patients, threatening to release intimate therapy notes.

In the investigation that followed, Vastaamo was found to have wholly inadequate security processes in place. Its patient database was exposed to the open internet, including unencrypted sensitive data such as contact information, social security numbers and therapist notes. The Finnish data protection ombudsman noted that the most likely cause for the breach was an “unprotected MySQL port in the database,” where the root user account wasn’t password protected. This account enabled unbridled database access from any IP address, and the server had no firewall in place.

In the U.K., there have been well-vocalized concerns around how the NHS is opening access to data. The most high-profile partnership came just last year, when Peter Thiel-backed big data analytics company Palantir was awarded massive contracts by NHS England to help it transition to a new Federated Data Platform (FDP) — much to the chagrin of doctors and data privacy advocates across the country.

It all seems somewhat inevitable though. Privacy advocates shout and scream, but big companies with lots of cash keep getting the keys to sensitive data belonging to millions of people. Promises are made, assurances given, processes implemented — then someone forgets to set up basic MFA, or they leave an encryption key under the doormat, and everything blows up.

Rinse and repeat.

More TechCrunch

Fisker is just a few days into its Chapter 11 bankruptcy, and the fight over its assets is already charged, with one lawyer claiming the startup has been liquidating assets…

The fight over Fisker’s assets is already heating up

A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum. On Thursday, a hacker put up for sale…

Hacker claims to have 30 million customer records from Australian ticket seller giant TEG

Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. Elon…

Tesla makes Musk best-paid CEO of all time and Fisker bites the dust

Dot is a new AI companion and chatbot that thrives on getting to know your innermost thoughts and feelings.

Dot’s AI really, really wants to get to know you

The e-fuels startup is working on producing fuel for aviation and maritime shipping using carbon dioxide and other waste carbon streams.

E-fuels startup Aether Fuels is raising $34.3 million, per filing

Fisker was facing “potential financial distress” as early as last August, according to a new filing in its Chapter 11 bankruptcy proceeding, which the EV startup initiated earlier this week.…

Fisker faced financial distress as early as last August

Cruise, the self-driving subsidiary of General Motors, has agreed to pay a $112,500 fine for failing to provide full information about an accident involving one of its robotaxis last year.…

Cruise clears key hurdle to getting robotaxis back on roads in California

Feel Therapeutics has a pretty original deck, with some twists we rarely see; the company did a great job telling the overall story.

Pitch Deck Teardown: Feel Therapeutics’ $3.5M seed deck

The Rockset buy fits into OpenAI’s broader recent strategy of investing heavily in its enterprise sales and tech orgs.

OpenAI buys Rockset to bolster its enterprise AI

The U.S. government announced sanctions against 12 executives and senior leaders of the Russia-based cybersecurity giant Kaspersky. In a press release, the Department of the Treasury’s Office of Foreign Assets…

US government sanctions Kaspersky executives

Style DNA, an AI-powered fashion stylist app, creates a personalized style profile from a single selfie. The app is particularly useful for people interested in seasonal color analysis, a process…

Style DNA gets a generative AI chatbot that suggests outfit ideas based on your color type

Rates of depression, anxiety and suicidal thoughts are surging among U.S. teens. A recent report from the Center of Disease Control found that nearly one in three girls have seriously…

Khosla-backed Marble, built by former Headway founders, offers affordable group therapy for teens

Cover says what sets it apart is the underlying technology it employs, which has been exclusively licensed from NASA’s Jet Propulsion Laboratory.

A new startup from Figure’s founder is licensing NASA tech in a bid to curb school shootings

Spotify is introducing a new “Basic” streaming plan in the United States, the company announced on Friday. The new plan costs $10.99 per month and includes all of the benefits…

Spotify launches a new Basic streaming plan in the US

Photographers say the social media giant is applying a ‘Made with AI’ label to photos they took, causing confusion for users.

Meta is tagging real photos as ‘Made with AI,’ say photographers

Website building platform Squarespace is selling Tock, its restaurant reservation service, to American Express in a deal worth $400 million — the exact figure that Squarespace paid for the service…

Squarespace sells restaurant reservation system Tock to American Express for $400M

Featured Article

Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

The February ransomware attack on UHG-owned Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records.

20 hours ago
Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

Google said today that it globally paused its experiment that aimed to allow new kinds of real-money games on the Play Store, citing the challenges that come with the lack…

Google pauses its experiment to expand real-money games on the Play Store

Venture firms raised $9.3 billion in Q1 according to PitchBook data, which means this year likely won’t match or surpass 2023’s $81.8 billion total. While emerging managers are feeling the…

Kevin Hartz’s A* raises its second oversubscribed fund in three years

Google is making reviews of all your movies, TV shows, books, albums and games visible under one profile page starting June 24, according to an email sent to users last…

Google is making your movie and TV reviews visible under a new profile page

Zepto, an Indian quick commerce startup, has more than doubled its valuation to $3.6 billion in a new funding round of $665 million.

Zepto, a 10-minute delivery app, raises $665M at $3.6B valuation

Speak, the AI-powered language learning app, has raised new money from investors at double its previous valuation.

Language learning app Speak nets $20M, doubles valuation

SpaceX unveiled Starlink Mini, a more portable version of its satellite internet product that is small enough to fit inside a backpack.  Early Starlink customers were invited to purchase the…

SpaceX debuts portable Starlink Mini for $599

Ali Rathod-Papier has stepped down from her role as global head of compliance at corporate card expense management startup Brex to join venture firm Andreessen Horowitz (a16z) as a partner…

Brex’s compliance head has left the fintech startup to join Andreessen Horowitz as a partner

U.S. officials imposed the “first of its kind” ban arguing that Kaspersky threatens U.S. national security because of its links to Russia.

US bans sale of Kaspersky software citing security risk from Russia 

Apple has released Final Cut Pro for iPad 2 and Final Cut Camera, the company announced on Thursday. Both apps were previously announced during the company’s iPad event in May.…

Apple releases Final Cut Pro for iPad 2 and Final Cut Camera

Paris has quickly established itself as a major European center for AI startups, and now another big deal is in the works.

Poolside is raising $400M+ at a $2B valuation to build a supercharged coding co-pilot

The space industry is all abuzz about how SpaceX’s Starship, Blue Origin’s New Glenn, and other heavy-lift rockets will change just about everything. One likely consequence is that spacecraft will…

Gravitics prepares a testing gauntlet for a new generation of giant spacecraft

LTK (formerly LiketoKnow.it and RewardStyle), the influencer shopping app with 40 million monthly users, announced on Thursday the launch of a free direct message tool for creators to instantly share…

Influencer shopping app LTK gets an automatic direct message tool

YouTube appears to be taking a firm stance against Premium subscribers who attempt to use a VPN (virtual private network) to access cheaper subscription prices in other countries. This week,…

YouTube confirms crackdown on VPN users accessing cheaper Premium plans