Bad enough just about every app tracks and collects our info, some (most?) of it going back home to China, but do we need to make it easy? United Healthcare made $99.8 billion in revenue during the first three months this year. Three Months. If they ask nicely, do you think their "stakeholders" would approve some fundage to step it up in the IT Security Department? All from TechCrunch.com the past two weeks: April 10 https://tcrn.ch/3Ubc4AG AT&T notifies regulators after customer data breach “AT&T — the largest telco in the United States — said that the breached data included customers’ full name, email address, mailing address, date of birth, phone number and Social Security number.” April 22 https://tcrn.ch/4b7QNxu UnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’ “Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans’ private healthcare data.” UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may “cover a substantial proportion of people in America.” “Much of the U.S. healthcare system ground to a halt, with healthcare providers facing financial pressure as backlogs grow and outages linger. “The company reported it made $99.8 billion in revenue during the first three months of the year, faring better than what Wall Street analysts had expected.” April 25 https://tcrn.ch/4aOo1T2 Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers “Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account…” Kaiser said it subsequently removed the tracking code from its websites and mobile apps.
The ransomware thing is the real eye opener. That likely means they paid off the hackers to allow them to continue operations. One wonders if they even know whose info was compromised. The "substantial proportion of people in America" is freaky too. What does that mean exactly? AT&T I am not surprised about, I have dealt with them in the distant past and they were arrogant and poorly run. Here is a link to another story where the Hijackers published samples of the compromised personal health data and offered to sell the whole kit and caboodle to the highest bidder. https://techcrunch.com/2024/04/15/change-healthcare-stolen-patient-data-ransomhub-leak/ Cybercrime is profitable apparently.
Not only was UHC's Change Healthcare data stolen, but they process 50% of claims in the US and many practices, pharmacies, hospitals, etc. couldn't get paid for prior claims nor submit new ones. Some probably went under. UHC eventually offered pathetic loans (they own a bank too). It was a colossal mess & still isn't resolved. Supposedly the hackers were in their system for a week before shutting it down & as much as ½ the people America may have had data stolen. UHC paid $22M in ransom initially but that organization, which apparently farms out the hacking, didn't pay their partner hackers, who also had a copy of the data and eventually started releasing it and so UHC paid a second ransom. I've only followed the story on a more cursory level the past few weeks. Looks like this is going to cost UHC close to $1B but they said on their 1st quarter earnings call that it would have minimal impact to their annual profit. Interesting expose on UHC and still barely scratches the surface. Anyone who thinks "Medicare For All" would go down as-proposed will be sorely disappointed. UHC is heavily tied in w/ HHS/CMS & has positioned itself to be the "Single-Payer" although I'd see it as the top 6 or so splitting the pie & it being administered similarly to the Federal Employees Health Benefits.
Intent. One is a foreign entity stealing our info, and the other is our own giving it away for profit. End result is the same, but it feels worse when it’s an inside job.
I received a letter from AT&T stating that my personal data was leaked. I haven't used them for over four years. Why aren't corporations required to delete personal data when you are no longer affiliated with that company?
Could look @ that the other way. Selling of data these days is, or should almost be expected (IMHO we should own, control, & profit off our healthcare data if we choose for it to be sold but that genie will need to be put back in the bottle). Even companies that say they won't, have (IIRC, "23 & Me" or one of the DNA co.'s was just fined for that). On the other hand, a company's lax security allowed our data that they were entrusted with to be stolen & sold on the dark web, which IMHO is worse.
About 5 years ago, I got hit with ransomware attack. The attackers said pay us x-amount of $ dollars and we will restore all the your photos we have. I told them to F-off. VET
Sounds like the photobucket scam. I, too, told them eff off and moved on to a new place to host. Having prob with netflix as they want to have a credit card number on file even though I have the service through our Tmobile. Why would anyone let them have that info? I don't even keep card numbers on ebay or scamazon. Can't make it too ez.
The Change Healthcare hack was devastating to their business and all doctors who relied on their services for billings and collections. In spite of paying the ransom, their software infrastructure was virtually completely destroyed, leaving them with the prospect of rebuilding their billing system from the ground up. It will likely be years before they have completely recovered.
Yep, that happened in March and what got me headed down the rabbit hole - and finding the other's I posted. I think it's a modern Ford Pinto deal - until it becomes more expensive to deal with the hacks, vs the cost of tightening security, it'll keep happening. Companies are no longer embarrassed or held to account and they've written themselves out of class-action lawsuits in their End-User License Agreements, so paying a fine to the feds is the worst thing that happens. The consumer gets nada, except maybe a free year of credit monitoring. How much can you fine a company that has 100 billion dollars of revenue in a quarter year?
My Doctor is now back to handwriting prescriptions and doing direct billing as a result of that hack. The ransom paid was in the millions of dollars.
In this day and age, it is inconceivable that data breaches are still this easy to perpetrate! In all my years as an IT network and cyber security engineer, the ONLY breach we ever tangentially experienced in our shop was when a 3rd party contractor leaked data they never should have been allowed to possess, given to them by someone in HR, of all things. A company like AT&T or United Healthcare getting hacked is a wakeup call to them that neither will want to answer. Any organization being hit with ransomware in the last several years is either lazy, too cheap or stupid. The admins were lazy and allowed too much privilege to average users that were stupid. Firewalls at the corporate level are now sophisticated enough to block virtually anything harmful getting in. When I left the industry 4 years ago, firewalls were smart enough to stop anything that jumped the firewall (someone brought an infected device into the organization) from phoning home. The best security systems have an IPS (Intrusion Prevention System) that will shut off a port doing unexpected things. Finally, anyone doing sensitive data processing/storage (banking, health, government) should be held to a higher standard. Storage is so cheap by any standard that a ransomware attack should be summarily reported to law enforcement before wiping all systems and restoring from backups. Again, if anyone loses in a ransomware attack, they were lazy, cheap or stupid.
T-Mobile got hacked and my info was compromised. AAA got hacked and my info was compromised. My healthcare provider got hacked and my info was compromised. They were bought out, and my new health provider got hacked and my info was compromised. The Department of Energy got hacked. The US Office of Personnel Management got hacked. The Department of Health and Human Services got hacked. The Department of Homeland Security got hacked. The Department of Justice got hacked. The list is practically endless.... At this point I have ZERO expectation of ANY of my information being secured by any company or .gov agency. If someone creates software, or hardware to prevent access, someone can hack into it. I "Froze" my credit years ago with all 3 reporting agencies. If needed I can unfreeze it within 5 minutes. I get a text from my financial institutions for all transactions over $1. I personally monitor all my accounts and look for anything out of the ordinary. My important passwords are ludicrously long and complicated.
