back to article UnitedHealth admits IT security breach could 'cover substantial proportion of people in America'

UnitedHealth Group, the parent of ransomware-struck Change Healthcare, delivered some very unwelcome news for customers today as it continues to recover from the massively expensive side and disruptive digital break-in. In a very roundabout way, the corporate giant says network intruders may have accessed internal health- …

  1. Mike 137 Silver badge

    What about one-time credentials?

    "the criminal crew got into Change Healthcare's network via pilfered credentials for a tech system that permits remote access to its network"

    As a really basic protection, any remote access for technical management should always use connection source validation and out of band generated one-time credentials so they're useless to an adversary. This is so fundamental! It amazes me that any business fails to implement it. Unless of course this breach really resulted from compromise of an already authenticated current session, which is a whole different issue. And then of course there's the question of whether the network segregation was adequate.

    But as Major General Jonathan Shaw, late head of cyber security at the UK MoD famously stated “...about 80 per cent of our cyber problems are caused by what I call poor cyber hygiene.

  2. Korev Silver badge
    Childcatcher

    The cost of the saga to the org is currently pegged at $870 million for calendar Q1 and could stretch to $1.6 billion for the year, UnitedHealth confirmed last week. ®

    I'd love to know if Change Healthcare's geeks had tried to get and were turned down for money to bring the company's infrastructure up to date. If that is the case, then I'd like to know even more if the sum requested was less than $870M

    1. Doctor Syntax Silver badge

      They may have proposed procedures which could have involved trading a smidge of inconvenience for security. Nothing like the inconvenience caused to all the victims, of course.

  3. Valeyard
    Facepalm

    blackmailed twice

    Pay the ransom then the blackmailers return for a double dip.

    well I never.

    1. Michael Wojcik Silver badge

      Re: blackmailed twice

      The interesting twist in this case is that it's a different affiliate demanding the second payment. This has rather muddied the waters. It's not clear if both affiliates were involved, if one cheated the other out of part of the payment, if one of the payment demands was a scam, etc.

      1. Valeyard

        Re: blackmailed twice

        yeah or if one's just sold a promising lead to a nice fat whale to the other

  4. Doctor Syntax Silver badge

    Things are at least improving about the PR response. It's not claimed to be just a few.

  5. Anonymous Coward
    Anonymous Coward

    What I see all the time

    I've been signed up for multiple healthcare plans in the US for 40 years now, they are not supper efficient but they do normally work well (even if it costs me a lot of money). But these days I think this story title should be Current IT data security failures cover everyone ... I just got a letter mailed to me today telling me that my Medicare can be updated to give me more money but it needs my credit card details to process the new situation ... but while I live in Louisiana, the letter was sent from Utah

    I have always suspected that all my medicare details have been hacked and sold, so this anonymous response is just trying to be safe.

    1. Anonymous Coward
      Anonymous Coward

      Re: What I see all the time

      I just took the letter to the local government office, they verified that it was spam but said that they were going to trash it - I had only thought that a confirmation might help stopping attempted thefts, but the evidence of a spam attempt to steal money was just thrown away.

      The environment that IT data theft has seems to have created for years now is that all spam attempts to steal money are allowed and treated as virtually legal.

      1. Gene Cash Silver badge

        Re: What I see all the time

        Or it could just be they're governmentally incompetent.

        I live in a house that had a long string of renters over the years, so I still get mail for a round dozen people. The procedure from the USPS website is to mark it "Not at this Address: Return to Sender" and put it in the post office box (which is quite a drive away)

        Opening it is illegal, of course, but then so is throwing it away.

        I also put a label with my name on the inside of my mailbox, as recommended.

        So of course I get the same piece of mail redelivered, complete with my large Sharpie marking on it. I marked it in red Sharpie and tried again, and it was delivered to me again. One more try with a green Sharpie.

        I then put it in an envelope and sent it to the nearest Postal Inspector's office, with a letter explaining the circus, and I haven't gotten the wrong mail for at least a week now.

        1. JWLong

          Re: What I see all the time

          ""So of course I get the same piece of mail redelivered, complete with my large Sharpie marking on it. I marked it in red Sharpie and tried again, and it was delivered to me again. One more try with a green Sharpie.

          I then put it in an envelope and sent it to the nearest Postal Inspector's office, with a letter explaining the circus, and I haven't gotten the wrong mail for at least a week now.""

          Next time use a Marks-A-Lot and blot out the little barcode the post office uses for it's data processing/routing that's just below the center address area. Then write "RTS" across the whole face of the envelope.

          And, UnitedHealth currently has a major marketing program going to sucker users into their system for medicade/medicare services. Bunch of thieves.

          1. Telman

            Re: What I see all the time

            That's not fair to thieves.....

  6. Chairman of the Bored

    Marketing Dept?

    If you work for a small firm on the left side of the pond you typically have no choice which insurance provider to use. About the best you can do is choose the level of service or forgo coverage entirely.

    Some employers will recompete contracts every few years, most are on autopilot and go down the path of total vendor lock-in.

    So I suppose the marketing effort is expended on selling to the businesses - not consumers. The attitude I've seen from the businesses to this sort of third party contractor breach is "stuff happens, nothing you can do - thank goodness it wasn't our IT that got hit. Carry on." As opposed to "I need to find a better contractor"

    Joys of employer-provided cover.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like