In the Aftermath of the UnitedHealth Data Breach: Here’s What We Can Learn

If you’re connected to the world of healthcare or cybersecurity, chances are, you’re well aware of the data breach that impacted UnitedHealth Group (UHG) and potentially a third of Americans. We’re breaking down this disaster and drawing some lessons from it that all healthcare organizations (and any other organizations that store sensitive data) should consider.

What Happened

Let’s take a moment to review the events that unfolded earlier this year. On February 12, 2024, the BlackCat cybercriminal group (also known as ALPHV) used stolen login credentials to remotely access the UnitedHealth network. Nine days later, the group used encryption to lock down the Change Healthcare system (which United Healthcare depended on for managing insurance/billing claims) and demanded a ransom of $22 million.

In all, the cybercriminals stole six terabytes of records, including protected health information (PHI) and personally identifiable information (PII). It’s not yet been determined just how many people were affected by the UnitedHealth data breach, but a company spokesman said the hack “will likely be the largest healthcare data breach in the U.S. to date.”

Consequences of the UnitedHealth Data Breach

The breach had far-reaching consequences, including immediate impacts and long-term complications.

Consequences for Providers and Patients

According to the American Hospital Association, 94 percent of hospitals have been financially impacted, especially by cash-flow issues due to reimbursement delays. 

Patients also experienced issues. For example, some were not able to get much-needed prescriptions covered by their insurance, forcing them to pay out-of-pocket (if they were able) and hope to be eventually reimbursed.

Financial Costs to UnitedHealth

UnitedHealth incurred significant costs—$870 million in Q1 2024 alone. Nearly $600 million of that went to system restoration and the direct costs involved in its response effort, and the rest related to revenue loss and business interruption.

The consequences of the breach extend far beyond the immediate impact, especially for United Healthcare. CFO John Rex estimated full-year costs could total $1.6 billion. In addition to the initial costs to clean up the disaster, UnitedHealth may face costs related to customer support, legal actions, federal penalties, Health Insurance Portability and Accountability Act (HIPAA) violation fines and more.

What We Can Learn

The silver lining of this terrible incident is that it should encourage organizations—especially those in healthcare—to turn a critical eye to their own approach to data security. Here are four lessons we believe everyone in the industry should take away from this security breach. 

1. It only takes one weak link in the chain to cause a cybersecurity failure.

Hackers were able to gain access to a Change Healthcare portal through a legacy server that lacked multifactor authentication. This may seem like an obvious vulnerability, but it’s not uncommon for companies to lack consistency across their cybersecurity practices. It only takes one point of vulnerability to allow hackers in.

How can you ensure your cybersecurity practices are robust across the board? First, you must ensure there are strong identity and access controls at every level. Consider how a hacker may attempt to access your data and shore up any vulnerabilities you identify.

Second, always entrust cybersecurity to qualified experts. The audit committee of UnitedHealth’s board should have caught the missing layer of security in the legacy system, but as Senator Ron Wyden pointed out, “none of the board members have any meaningful cybersecurity expertise.” Whether it’s internal IT professionals or third-party partners you trust, you need to make sure each link in your cybersecurity chain is strong. 

2. Every company should have a solid plan in place for disaster recovery.

This disaster can also serve as a lesson in disaster recovery. No one wants to be the victim of a cyberattack, but it can happen, and you need a plan in place for it. Even if you avoid security breaches, your organization could experience a different type of crisis, like a power outage or natural disaster.

To prepare for these scenarios, ensure critical data is securely backed up (and isolated) in a second location so it’s always accessible. UnitedHealth suddenly lost access to vital data, which led to both immediate and long-term disruptions to its business and its members. You don’t want an incident that impacts one of your data centers or systems to bring your business to a screeching halt.

3. The healthcare industry must be especially vigilant as it is an attractive target.

History has shown us that the healthcare industry is an attractive target for cybercriminals. Even more so than other forms of sensitive data (like banking data), healthcare data includes high levels of personal information. Health histories, social security numbers and more are all included in patient records. Hackers can take advantage of this data to commit crimes like identity theft or insurance fraud.

Healthcare organizations must take the threat of cybercrime seriously and must ensure they’re adhering to best practices for healthcare data storage.

4. As threats evolve, healthcare organizations must keep their data storage practices up-to-date.

Healthcare organizations should seize this opportunity to consider whether they’re relying on outdated or subpar practices to store their data. Storing healthcare data presents some unique challenges that organizations must grapple with. Keeping high volumes of data (in a variety of formats) protected and easily accessible is no easy feat. But it is possible.

Understand your storage options—including on-premises data centers, private cloud servers and public cloud servers—and choose the right option or combination of options for your organization.

Learn More About Healthcare Data Storage

The UnitedHealth data breach was a large-scale disaster, and we sincerely wish it had been avoided. But in the aftermath, we can reflect on the lessons it taught us (or reminded us of.) Healthcare organizations must be highly intentional about the way they store data and must have safeguards in place to defend against disasters of all sorts.