back to article Change Healthcare finally spills the tea on what medical data was stolen by cyber-crew

Change Healthcare is formally notifying some of its pharmacy and hospital customers that their patients' data was stolen from it by ransomware criminals back in February – and for the first time has concretely disclosed the types of information swiped during that IT intrusion. In a Thursday notice, the healthcare giant said it …

  1. elDog

    Obligatory: We care deeply about our clients privacy. We will be giving everyone affected

    a coupon to their local pharmacy for a year's supply of aspirin.

    Much better than the shitty credit-watch agency gimmicks. They are all controlled by the same people/organizations.

  2. A random security guy

    There is no penalty

    Data de-identification should be hard. These guys are not even trying.

  3. VicMortimer Silver badge
    Flame

    Make paying ransom a crime.

    One again, ransomware works because it's profitable.

    $22 million is a powerful incentive to keep doing it. CEOs need to face prison when companies pay.

  4. An_Old_Dog Silver badge

    New(?) Legal Concept

    We need to introduce a legal concept similar to "fiduciary responsibility", applicable to corporate protection of peoples' personal data. It should come with similar legal penalties for failure to properly meet that duty.

  5. sanmigueelbeer
    Coat

    Absolute power corrupts absolutely

    UnitedHealth CEO Andrew Witty confirmed to US senators that his company had paid $22 million to the extortionists to ostensibly keep a lid on the stolen data.

    If UnitedHealth is capable of doing this, without a shadow of a lawsuit, legal prosecution or jail time, then I must admit the United States has the best judicial and political system money can buy.

  6. Phil Kingston

    They need to do what we do in Australia - it's basically illegal, except under very narrow circumstances, to pay up (directly or indirectly). Criminal proceedings could result.

  7. amajadedcynicaloldfart Bronze badge

    F.T.A

    "Once the embattled tech biz finishes assessing who exactly was affected, it will mail written letters to affected individuals, we're told, though it also noted "we may not have sufficient addresses for all."

    Maybe they could ask the twats that broke in to their systems if they could, "pretty please", supply such info...

  8. duboce

    The "...costs associated with the attack were nearing $1 billion" is but a rounding error for Change/United. It is the fourth largest (by revenue, right under Apple) corporation in the country, and 10th largest on the planet. And I imagine most of the billion is a tax writeoff against their 2023 revenue of $371 billion.

  9. Reginald O.

    No price or pain is too high...

    There's no reason at all to keep either detailed personal identification data on the instantly available internet WAN network or all of our medical data such as diagnoses, prescriptions, etc. But, 'they' all do.

    Even attacks like this do not faze corporate execs. Seems there is no price or pain too high to stop them from putting it ALL out there on the table.

    The majority of OUR data should be buried on drives NOT accessible to the internet and so conversely only available locally. A real person via phone or in person could verify personal data or dig up summary medical data as necessary and distribute it via voice, real paper, encrypted text etc.

    Maybe there would be pitfalls with some of that. But I am sure whiz kid security experts could devise a system much better than what we have now IF they were allowed to do it.

    But, governments and corporations all want all the information at their finger tips. And so, it becomes available to criminals.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like