UHG’s Breach Response May Prove Enlightening for Others

Theresa Defino
Health Care Compliance Association (HCCA)
Contact
LinkedIn
Facebook
X
Send
Embed

Health Care Compliance Association (HCCA)

Report on Patient Privacy 24, no. 5 (May, 2024)

Organizations typically deal with ransomware attacks out of the public eye, but the massive scale of United Healthcare Group’s (UHG) February breach made that an impossibility. UHG CEO Andrew Witty was recently on the hot seat before the Senate Finance Committee for two-and-a-half hours, explaining how the breach occurred. The hearing also featured pronouncements by committee chair Sen. Ron Wyden, D-Ore., and others about efforts needed in the wake of the nation’s largest breach.[1]

Witty offered details about the steps UHG undertook in response to the breach. These may prove instructive to others in a similar situation.

“Our response to this attack has been grounded in three principles,” Witty testified.[2] “To secure the systems, to ensure patient access to care and medication and to assist providers with their financial needs.” He described UHG’s response as “swift and forceful to contain the infection.”

After locating the server that was breached, UHG “immediately severed connectivity and secured the perimeter of the attack [site] to prevent malware from spreading,” a strategy Witty said was successful. “There is no evidence of spread beyond Change Healthcare” to other parts of UHG.

UHG alerted the FBI “within hours of the ransomware launch” and has kept the agency updated on its actions, Witty said. As has been publicly reported, UHG paid a $22 million ransom, a decision Witty said was his alone. “This was one of the hardest decisions I've ever had to make, and I wouldn't wish it on anyone,” he told the committee. Witty said nothing else about this, and no committee member asked him about it.

It appears UHG received at least some of the breached data back from the hackers, based on Witty’s testimony. UHG analyzed the data and discovered claims information, not “doctor’s charts or full medical histories,” Witty said.

To resume operations—and reassure customers—UHG “worked to rebuild a brand-new technical environment so that we know that it is modern and it’s not infected from the attack,” Witty said. The rebuild was accomplished “in a matter of weeks,” which Witty implied was an accelerated time frame but one that he acknowledged nonetheless created disruptions for its customers.

Among best practices in recovering from attacks is to have backup files to put into play if primary data is taken or otherwise inaccessible. “The speed of recovery of our systems was really determined by the way the attack encrypted large parts of the environment,” Witty said. “We did not resuscitate large parts of the old environment, which could have brought with it the risks and the suspicion of infection and would’ve led to people not being willing to reconnect at all.”

UHG “spent a lot of time rebuilding from scratch and then having third-party organizations test, scan, penetrate it, to make sure it was super-robust before it came back,” Witty said. “But unfortunately, that took time.”

In undertaking the rebuild, “we prioritized our restoration effort on services most vital to ensure access to care, pharmacy services, claims, and payments to providers,” Witty said.

He also testified that Change Healthcare “stores data both on premises in data centers, and also, to a limited extent, in the cloud.” The attack “implicated both the prime and the backup environments,” Witty said. “The elements which were in the cloud, we were able to bring back almost immediately. The elements which were in the older data centers and had within them multi-layers of historic, legacy technologies” were challenges to the resumption of operations.

Following the breach, “we have moved much more into the cloud, which we believe creates a much more secure future environment,” Witty said.

Breach notification to patients, required under HIPAA, has not yet occurred. Notification is usually accompanied by free credit monitoring and restoration services for affected patients.

“It will take several months before enough information will be available to identify and notify impacted customers and individuals, partly because the files contained in that data were compromised in the attack,” Witty said. “Rather than waiting to complete this review, we’re providing free credit monitoring and identity theft protections for two years, along with a dedicated call center staffed by clinicians to provide support services.”

Witty said that “anyone concerned that their data may have been impacted” should visit https://www.unitedhealthgroup.com/ns/health-data-breach.html. He later testified that “anybody in America can access [this] credit protection and identity theft protection for the next two years” without providing proof they were part of the breach.

During the hearing, Witty repeatedly referred to UHG’s financial assistance, saying it has “advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of providers.” But members of the committee said the assistance initially had onerous terms, and that amounts have been only a fraction of what providers need. Witty said UHG’s “initial approach…was not as effective as we'd liked it to have been.”

UHG “put in place a mechanism, which, for the vast majority of providers, gives them authorization on interest-free loans within hours of application, and that remains open and available for providers who need” it, he said. UHG has “streamlined all of our terms and conditions [and] told providers that there is no need to repay these interest-free loans until 45 [business] days after they have concluded they are back to normal,” Witty testified.

UHG will “provide this assistance for as long as it takes to get providers claims and payments flowing at pre-incident levels,” he added. “We are more than willing to keep that support in place if that's a month, or two months, or three months.”

Witty estimated providers would be “made whole” within a month or six weeks of the May 1 hearing.

Lack of multi-factor authentication allowed hackers to breach Change Healthcare, but ensuring this is in place is “only one element of...defense,” part of a “multi-layered” effort to prevent another attack, Witty said.

Other changes UHG has made include using “external third parties to do double, or treble scanning across our systems as a further protection layer,” Witty said. This is on top of “our normal, corporate-wide scanning of our technology environment,” he added.

To further “strengthen our oversight of cybersecurity at the company,” UHG or Change Healthcare (Witty wasn’t clear on this) now has representatives from Mandiant, a security consulting firm, coming to “our board on an every-meeting basis.” Mandiant employees “have become a board advisor to ensure that we have the very best advice at the top of the company,” Witty said.

1 Theresa Defino, “`I Will Not Rest’; ‘I Am All In’: Remarkable Breach Hearing Sees Pledges by UHG CEO, Sen. Wyden,” Report on Patient Privacy 24, no. 5 (May 2024).

2 United States Senate Committee on Finance, “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next,” full committee hearing, May 1, 2024, https://bit.ly/3xYtvMf.

[View source.]

Written by:

Health Care Compliance Association (HCCA)
Health Care Compliance Association (HCCA)
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide