Why Aren’tWe Talking About United Healthcare?
If you’re around any business that even owns one computer and a singular iPad, the theoretical talk about Cybersecurity is almost constant. It’s no longer just the “hacker” events nerds like me go to, it’s at the financial conferences. The business meetups, the trade shows. All of the moments where demos and talks used to throw around phrases like retention, stickiness, conversion, funnels, and pipelines, there are now only two topics that matter — AI, and Cybersecurity. Today, let’s focus on Cybersecurity, specifically one major recent incident that is largely being downplayed, the breach of United Healthcare.
Numbers can tell simple tales, so I have a ridiculous number for you:
$100 Million.
This is how much money U.S. healthcare providers lost every single day United was down.
If you’re not familiar with this story, United Healthcare was hacked on February 21st of this year. Since then, payments were disrupted to providers nationwide. So doctors, offices, multiple clinics, and hospitals were not getting paid for services they billed UH for. United’s official statements promise some restoration of functions will come this week (3/25), with more staggered restorations in the subsequent two weeks.
A nation-state actor disrupted their services. While it hasn’t been publicly acknowledged by the company, a large Bitcoin transaction to the hacking collective of approximately $22 million was traced from one of UHC’s subsidiaries. It’s not entirely clear how much paying the ransom of this ransomware helped in this case, but that’s secondary to the point.
The reason this was such a disaster is because Change Healthcare, a branch of United, administers payment software which processes 1 in 3 medical transactions submitted in the United States. Given that $3 Billion has been lost or delayed in revenue clinics and doctors rely on to keep their doors open and lights on, it’s also managed to distract from the fact that an indeterminate amount of clients of UHC have had their data poached and undoubtedly resold. Since medical records often sell on the dark web markets for around $60 per person (as opposed to $15 for an average SSN), and around 6TB of flat data was stolen, that’s also a pretty intense payday for criminals as well as an epic breach.
So how is this not at the top of every news cycle?
How did a company with some of the highest responsibilities in the world fail on one of its biggest operating directives so epically?
Just thinking about $3 Billion makes the brain seize. One of the most expensive cars sold new is the Bugatti Chiron, at $3.3 Million. This equals 909 of them. Alternatively, a Tesla Model S Plaid costs about $90,000. This would buy you 34,482 of them, which is enough to cover 83 1/3 acres of land, which is approximately 75% of the area of the Vatican or 13 times the area of Central Park. It’s the GDP of at least 10 small countries like Tonga or the Solomon Islands.
So why isn’t this higher in the news cycle? Yes, we’ve got a certain amount of chaos in the world at this moment, including conflict in the Middle East, war in Ukraine, and a presidential election between two incredibly elderly men who seem about as popular as pet vomit, even with their respective bases. But a company so big that its failure nearly brings down an entire country’s healthcare system should be considered a bit important, too.
In the short term, UH has already been notified that they will be subject to investigation and oversight from the federal government. I don’t think it’s hyperbolic to call this one of the bigger screw-ups a company has ever committed publicly. They’ll probably survive after some heavy penalties and fines, and it’s almost a guarantee that a few senior people will lose their jobs, or more likely be offered the opportunity to step down. It’s highly unlikely we’ll know a ton about how the attack happened, as this isn’t an area where transparency is mandated or even recommended, lest the attack be repeated.
Perhaps, if the Biden administration continues its recent trend of enforcing antitrust legislation more than many previous political machines, United might see itself on the side of a corporate breakup down the road, but that will mean years of legal proceedings and negotiations.
More than anything, events like this underline how Cybersecurity regulations are still very similar to the Wild West in some domains. Most IT pros know the old axiom about how people only pay attention to you when you’re not doing your job well. But with a failure this large, it’s more than just one bad leader or a couple of bad techs who made a small blunder— it’s a systemic failure due to multiple bad and shortsighted decisions on multiple levels from the top down. Security is too important of a subject to let companies self-police. The bigger question is whether or not policies that are enacted in the next few years will be adequate, or will even be crafted by people who understand the problems and threats the security space faces.
