- This topic has 7 replies, 4 voices, and was last updated 2 weeks, 6 days ago by
.
-
Posts
-
-
Background of the UnitedHealth Group
UnitedHealth Group is the largest provider of health insurance and healthcare services in the United States. The organization consists of two primary entities: UnitedHealthcare, which focuses on health insurance, and Optum, which delivers a wide range of healthcare services. Optum Insight operates as a division within Optum. In the fall of 2022, UnitedHealth Group acquired the Change Healthcare platform and integrated it with Optum Insight. This digital platform manages insurance claims and functions as a financial intermediary between patients, healthcare providers, and insurers.
Brief description of the story and Original Document
Change Healthcare was the target of the attack. On February 21, 2024, its systems were infected with ransomware, rendering the platform inaccessible. The incident wreaked havoc on the U.S. healthcare system, leaving many patients to shoulder the financial burden of medical expenses as insurance claims couldn’t be processed quickly. Healthcare providers were forced to process bills manually. The original document is in this link.
The impact and consequences of data breach
An official estimate of the number of individuals whose data could have been stolen by the cybercriminals took a long time to materialize. It was only eight months after the incident, on October 24, 2024, that UnitedHealth Group finally came up with a tally. It was a mind-boggling figure: 100 million, or nearly a third of the entire population of the United States. Information such as health insurance member IDs, patient diagnoses, treatment information, and social security numbers, as well as billing codes used by providers, is believed to have been leaked in this attack. By the end of the fiscal year, as reported by UnitedHealth Group in January 2025, the incident resulted in a total annual loss of $3.09 billion. Although the damage estimate for 2024 is now finalized, the total damage could still increase substantially as the company continues to deal with the consequences of the attack.
Data breach causes
According to Andrew Witty, CEO of UnitedHealth Group, the attack began on February 12, 2024, when hackers gained access to the Change Healthcare Citrix portal used for remote desktop connections via compromised credentials. Although two-factor authentication should have blocked unauthorized access, it was not enabled. This allowed attackers to log in using the stolen credentials.
The main cause of the data breach
The breach was primarily caused by the lack of two-factor authentication on a critical remote desktop access portal. This missing security control allowed the attackers to exploit compromised credentials and initiate the ransomware attack.
Prevention of data breach attack
Clearly, the most obvious lesson to be learned from the UnitedHealth Group breach is that two-factor authentication is a must for any public-facing service. Otherwise, a single compromised password could cause massive problems. But two-factor authentication is by no means sufficient protection against ransomware. Here are some additional tips:
– Enhance the employees’ cybersecurity awareness
– Monitor any suspicious activities
– Engage with the external threat-hunting and response service
– Integrate the robust security tools -
Hi Thiha!
Your case looks interesting, and I would say there was a very huge financial and reputational loss from the attack by UHC. It was over $3 billion in financial loss and 190 million data records stolen!! And yes, as your justifications, it was the lack of two-factor authentication, allowing the attackers to execute a ransomware attack. In addition to your preventive measures, I think the system could also be enhanced by regular cybersecurity audits, in addition to a real-time monitoring system, so that any abnormal activities could be promptly detected and immediate actions taken. In addition to the employees’ cybersecurity awareness, the responsible staff should be well-trained with real-case scenarios so that they could be well-prepared for any potential attacks, as well as minimizing the risk of financial and reputational loss by UHC. -
-
Dear Bro,
Thanks for sharing this interesting case, I learned that although MFA was used to secure the system and then unauthorized request are blocked automatically. However, auto block function was not enable. It seems to double check or trail whether it does work or not as we always practice in our real work.
-
-
Thanks for sharing this case. I understand that this case was caused due to the lack of two-factor authentication.
Just for sharing. Nowadays, technology is developing too fast, and attackers are getting smarter. Even if we set up 2FA for our accounts, our accounts are still at risk. Recently, I read the post in which hackers use session tokens to bypass 2FA. For example, when we log in to our account on a browser like Chrome, the browser saves it as a session token. The hackers try to get this token using malware or a fake extension on the browser. Once they get it, they can access the accounts without a password or 2FA.
-
-
You must be logged in to reply to this topic. Login here