The Healthcare industry was rocked by a massive cyber breach in late February and the fallout continues to be felt a month later. UnitedHealthcare, one of the largest healthcare insurance providers was breached and it has taken several weeks to even get their services online, throwing the industry into chaos.
The problems began in February when one of their subsidiaries, Change Healthcare, was breached. This breach while affecting one company, had in fact started a chain reaction that disrupted many pharmacies throughout the nation. The breach itself targeted the distribution center for pharmacies in which they could get prescription strength drugs. While seemingly innocuous, the mere fact that pharmacies could not only access their network to distribute their products but also the inability to process payments. In the days post breach, they could not fill orders for various prescriptions and were delayed in getting cash to their stores, resulting in a cash crunch and temporary closures of affected pharmacies.
Only in the last two weeks, after the Department of Health and Human Services got involved, have they even come close to a fix. But the damage is immense. Over half of US pharmacies use this system to process payments. Change Healthcare processes about 50% of medical claims in the U.S. for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.(1)
Just recently they announced that the backlog over $14 Billion in claims and other orders would start filing through as of March 22nd. Before then, they could only process the claims made before February 21st. UnitedHealth said it has made payments of upwards of $2.5 billion so far to offer assistance to healthcare providers impacted by the disruption. “We recognize the event has caused different levels of impact among providers; therefore, we continue to offer temporary funding assistance at no cost,” the company said. “We know many providers, especially smaller practices, are struggling, and we encourage those who need further assistance to access these resources.”(2) The sheer size meant they could not inform everyone within the regulated amount of time and thus will probably face more fines on top of the projected costs
All of this raises a big question, what would happen in the future? Healthcare is one of the biggest targets for hackers. The reason is simple, the healthcare industry handles a lot of personal information, and many servers are not secured enough to contain this type of breach. In a statistics compilation done by tech target.com:
- The volume of reported vulnerabilities continues to rise. The "Vulnerability and Threat Trends Report 2023" from Skybox Security reported a 25% year-over-year increase in the number of new vulnerabilities in the U.S. government's National Vulnerability Database from 2021 to 2022.
- It takes an average of 277 days for security teams to identify and contain a data breach, according to "Cost of a Data Breach Report 2023," released by IBM and Ponemon Institute.
- Ransomware attacks are a constant threat affecting all sectors, and it's only getting worse. Ransomware affected 66% of respondents' organizations, according to Sophos' "The State of Ransomware 2023" report.
- The average total cost of data breaches in 2023 was $4.45 million, according to the IBM/Ponemon Institute report mentioned above. Breaches in the healthcare industry were the costliest at $10.93 million on average versus $5.90 million for financial services. To this last point, the United Healthcare breach will exceed both of these numbers.(3)
This breach should serve as a wake up call for to anyone who does not take cyber security seriously, they are much easier targets than something like UnitedHealthcare. Brush up on your cybersecurity measures and prevention, including vigilance, multifactor authentication, and regular training.
