Info@NationalCyberSecurity
Info@NationalCyberSecurity
0

UnitedHealth Paid Hackers $22 Million, Fixes Will Soon Cost Billions | #ransomware | #cybercrime


On the cusp of Congressional hearings, the scale and scope of the Change Healthcare staggering cyberattack holds far more governance questions than credible answers.

Change, an UnitedHealth Group subsidiary, processes over 15 billion medical transactions annually, accounting for nearly one-third of U.S. patient records. Facing a February $22 million ransomware attack, UnitedHealth’s Optum unit, shut the data clearinghouse that serves most U.S. medical providers, 131 million patients and nearly 67,000 pharmacies.

The American Hospital Association (AHA) characterized that cyberattack as “the most serious incident of its kind leveled against a U.S. health care organization.” The AHA reported that 94% of hospitals experienced some adverse financial impact with over half dealt ‘significant or serious’ [challenges].” More than 80% of hospitals cited outage-related cash flow squeezes, with nearly 60% estimating daily revenue losses of $1 million or more. Nearly three quarters (74%) reported direct patient care setbacks and delays, necessitating “very labor intensive and costly” workarounds.

AHA President and CEO Rick Pollack observed, “These findings are another irrefutable reminder that the impact of this cyberattack is far-reaching and far from over.” He’s right and United Health’s initial SEC filings seemingly conceal as much or more than they reveal.

According to UnitedHealth disclosures, the cyberattack cost the insurance giant a whopping $870 million in Q1 2024, with nearly $600 million for system restoration and response effort direct costs, and the rest related to revenue loss and business interruption. CFO John Rex estimated full year costs will total $1.4-$1.6 billion.

Noteworthy longer-term damage estimates tabulated by Safe Security, a leading cyber risk quantification solutions firm, predict a far significantly higher financial impact — with multiples of double Rex’s sum reasonably possible. The Safe Security prediction employs the FAIR Materiality Assessment Model (MAM) standard developed at the FAIR™ Institute, the industry standards body for risk quantification. The FAIR-MAM approach reveals and consider hidden costs due over time to best assess material cyber risk from and more fully and accurately estimate loss contingencies.

The comparable Equifax and Anthem breach resolution precedents, the nature of personal health and identifiable information (PHI and PII) data, public sensitivity and sensibility about medical care and massive health regulation strongly support Safe’s independent view and spotlight the SEC’s cyber disclosure foray’s fatal flaw – self-assessed materiality.

Hidden costs

Based on research from Safe Security published on HowMaterialisThatHack.org, here are ten probable contingent liabilities excluded from UnitedHealth’s initial disclosures. Their absence offers, as a minimum, a great starting point for Congressional inquiry and the accountability that CEO Andrew Whitty should compellingly demonstrate. Above all, leaders lead.

1. Total PII/PHI breach customer support costs. News reports indicate that hackers stole several terabytes of data which include medical, insurance, claims, payments records as wells as patient identifiers such as social security numbers. Even if just 5% of the affected over 150 million patients subscribe for ID protection, credit monitoring and risk notifications, those outlays could cost upwards to another $1 billion. Unlike the Equifax hack which consumers can remedy with new financial account numbers, identifiable personal health data are permanent and inseparable.

2. Patient recordholder class action settlements. Courts streamline redundant class action with multi-district litigation settlements. Equifax paid approximately $650 million to nearly 147 million plaintiff recordholders. Similar resolution could fetch hundreds of millions in settlement claims.

3. Provider business interruption liability. Numerous media outlets have reported medical providers’ outage-related financial hardships. For instance, the Wall Street Journal documented physicians’ reliance on insurance reimbursements to meet staff payroll and cover overhead and cited several cases of labor furloughs, indebtedness and extra expenses. Business interruption cases are likely underway.

4. HIPAA fines. In 2015, Anthem paid a record $16 million fine to the U.S. Department of Health and Human Services Office for Civil Rights for violations of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a data breach risked protected health information of almost 79 million people — that’s half of the potential exposure in the UnitedHealth Change case.

5. States’ fines. In addition to federal penalties, states attorneys general frequently pursue and impose fines for data breaches. Equifax paid $175 million to states, above and beyond its $425 million in customer restitution.

6. Individual medical malpractice lawsuits. Disruption of health care services likely will lead to wrongful death and medical malpractice individual and class action lawsuits. Historical precedent indicates such complex litigation can be lengthy, costly and often results in large compensatory payments.

7. Federal fines and penalties. By comparison, in 2019, Equifax agreed to pay “at least $575 million, and potentially up to $700 million, as part of a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories to settle allegations that the credit reporting company’s failed to take reasonable steps to secure its network.” And that’s a “smaller” breach.

8. Remediation consent orders. As part of its settlement with the FTC, Equifax was required to remediate cybersecurity control weaknesses to comply with a federal consent order. Such oversight may require companies to incur additional IT remediation and compliance reporting expenditures to satisfy regulators.

9. DOJ-forced divestiture. UnitedHealth won a protracted battle with the Department of Justice related to its $13 billion 2022 acquisition of Change Healthcare. Following the data breach, the DOJ opened an anti-trust investigation may force divestiture of UnitedHealth’s Optum business, which houses Change.

10. SEC fines. The new cybersecurity disclosure rules offer test cases for Securities and Exchange Commission enforcement and penalties. The timing, clarity and estimation in UnitedHealth breach 8-Ks and subsequent periodic disclosures will draw great regulator scrutiny and present additional financial jeopardy. Incredulously, in its first two 8-K filings after the cyberbreach (February 22 and March 8), UnitedHealth indicated that it “has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” In just weeks, those dismissive assertions have certainly not aged well.

Add on unforeseen legal costs, upped audit fees, government relations expansion and employee churn, cost multiples well beyond double become readily imaginable.

Above all, the UnitedHealth saga reinforces the urgency for corporate leaders to understand the business consequences of cyber risk. Safe Security co-founder and CEO Saket Modi agrees and urges executives to “adopt a robust cyber risk management framework, process and tools — so they can be empowered to proactively safeguard shareholder value.”

Widely, Modi argues, “Like GAAP, a standard and comprehensive methodology should be adopted to measure risk exposure in a defensible manner.” Doing so also helps boards and c-suites to “understand risk scenarios, quantify exposure, align investments and track effectiveness,” he added, noting, “It may be UnitedHealth’s harsh reality and cost tally that ends ‘check the box’ cyber compliance mindsets.”

Time stand still

UnitedHealth’s board, Witty and Rex’s foreseeable calendars will feature ample forums with unrelenting questions. In the haze of political theater, hackers’ delight, law firm enrichment, severance windfalls and health care upheaval, the queries will answer, for better or worse, the true riddle — who’s really the final boss?



Source link

.........................

National Cyber Security

FREE
VIEW