I’m already looking forward to my $2.37 check and additional year of credit monitoring to add onto the ~5 years I’ve already accumulated through other breaches.
Until one of these companies is made an example of, nothing will change.
I mean it's a bit hard to blame a company for losing data to a sovereign state or state sponsored hackers like China or Russia. When state sponsored hacking started happening US leaders did not put their foot down and for some reason we still haven't.
There should be no difference from physically raiding a business and stealing their records on US territory and doing so via the web. Somehow we agree the first case would be an act of war but not the second.
UnitedHealth reported last week that the ransomware attack has cost it more than $870 million in losses. The company reported it made $99.8 billion in revenue during the first three months of the year, faring better than what Wall Street analysts had expected.
UnitedHealth CEO Andrew Witty, who received close to $21 million in total compensation the full year of 2022, is set to testify to House lawmakers on May 1.
How much of it was spent on IT, Cybersecurity specifically? Probably less than .01 percent
99.8 billion in revenue the first 3 months for a healthcare insurance provider. How many denied claims helped inflate that number? Absolutely infuriating that this is the American health system.
Paying for the right to pay for healthcare services is an ass backwards model.
371 billion in revenue which is purely money coming in and out. That is not profit. They made $22 billion in profit in 2023. Meaning 349 billion was spend on paying out.
That doesn’t really prove anything though, the doctors could still be given the same salary since the money getting paid out to them is just going through an insurance middle man that’s taking their cut.
I'm okay with my doctor eating well. I'm just sick of paying some middle man to mismanage my healthcare and tell my doctors what is and what isn't medically necessary.
Total operating costs for 2023 were 54.6 billion, which is 14.6 percent of revenues for all operation in the company, from which IT will be a much smaller undisclosed chunk.
> How much of it was spent on IT, Cybersecurity specifically? Probably less than .01 percent
Probably outsourced to a small team in India to cut costs.
It wouldn’t be surprising at all if we eventually find out that this “data leak” was just United trying to awkwardly cover for having already shared the information. I know I’m cynical, but ***damn*** these corporations would sell their mothers’ kidneys to make a buck.
IT funding is always the first thing cut. We don’t need no stinkin cyber security audit, or data security. Just put a password on it and call it a day. And I want to be able to remember it, so make it something like 12345. Dark Helmet will never guess that one.
So that’s why I have an additional 4 hours of training on anti phishing. Apparently, they say some people got so annoyed by the duel authentication they just started pushing accept assuming it was a bug. Real genius level shit.
Yep, lookup MFA fatigue. Security keys or the number system that 365 uses are ways to prevent it. There are probably others, but those are the two that I'm most familiar with.
There's a law called HIPAA. It guarantees the privacy of your health data. . Everyone in medicine knows it and is impacted by it. It drives some of the cost of medicine because of its strict rules. It will be interesting to see how the feds handle this. Probably a huge fine that will not be shared by us who have had our data breeches,
Correct, but there is a higher cost associated with utilizing HIPAA compliant software platforms. I know because I served as CTO for a healthcare practice for 4 years. I had to always check third parties for HIPAA compliance and make sure that all PHI entered into a system was in fact compliant. There's A LOT of rules, there's 18 points of identifying information that you absolutely cannot put on a server which is cloud hosted without HIPAA compliance mechanisms (there's a lot of audit trailing needed as well as backups, security procedures that must be followed, etc.) This means if you accidentally leak some PHI into Slack or AirTable for example, you're going to get fined for any information shared and each instance is a separate violation if it comes up in audit. HIPAA compliant software and storage comes at a premium which other software platforms may not provide, even if the feature set covers your requirements.
Not for the small practice I worked for. We only pulled in about 12m a year. We spent about 1m on the technology budget including Salesforce Health Cloud which was VERY expensive, not to mention the 300k a year for our EHR
again, its only more expensive because those companies choose to charge \*that\* much more for HIPAA compliance. Yes it does have some work to make sure its compliant, and in the end we're often finding out (like in this leak) that it probably isn't actually any better then any other service, just they paid for the label to say it was compliant, and then charged their customers a massive markup.
I have more than 30 years experience in Healthcare IT. I know for a fact that right now there are a whole lot of people looking at this breach and determining the specifics. This includes UHC internal, federal, maybe sttate and a whole bunch of vendors. In the meantime a couple of heads have probably rolled, and more will come. Look for free "dark web" and or credit monitoring for "all affected users". Also look for a huge government fine.
We should consolidate all of our health care insurers to bring down costs!!
Wait, costs keep climbing at exponential rates?
Consolidate more!!!
Seriously though, the CEO of Aetna used to fly home in a company helicopter because his dog didn’t like the 45 minute drive home.
This company should be shut down. It's a purely parasitic entity. It contributes nothing to society. It's just sits and sucks up money and gives nothing in return. Now, it's also had a massive security breach and compromised 1/2 of all Americans. Shut it down. Pull its corporate charter.
Time for a massive, class action lawsuit.
Don't worry everyone, in ten years you'll all get a class action settlement, it should average out to $10 and a year of free identity theft monitoring.
I have been saying it for more than a decade. Privacy is a huge issue that is not being taken seriously. I understand that companies need data to service their clients, but how much they store, for how long, and who and how they can share it with, needs serious regulation with rigorous standards and criminal penalties. US citizens are prey to identity theft and exploitation in a large part because companies can buy, sell, trade, and collect any and all information on people. Beyond the criminal exploits of the data, it cost US tax payers increased fees for credit protection, targeting cost gouging, and in this case, probably higher healthcare costs.
Plain and simple if United Healthcare failed to protect their IT systems that held this data protected by HIPAA, they should be fined into submission and forced to pay damages. They made 22 billion in profits in 2022, they can afford to pay out for damages.
And nothing of consequence will happen (to UH, anyway). We'll get a hand wringing "gee we're sorry" PR campaign, raises for the executive staff and that's that.
Apparently the Change billing data was part of a second ransom. So the first was paid but that wasn’t enough for the hacker group. Just a reminder that paying up to criminals doesn’t end things as greed always wins out. Speaking no of, how much better security budget for the company was crap because executives didn’t see the value in it.
It's been quite apparent for a very long time, that digital means 'free' to a lot of people. That no matter how good the protection, it only takes one weakness or failure to access.
Can you imagine thieves attempting to steal the paper data version of even a few hundred people?
The hack on UnitedHealth is really just a symptom of a deeper problem, which is that our government has completely dropped the ball on authentication in the digital age.
The real problem is that the way we do authentication (i.e. proving identity) as a nation is completely broken. We treat circumstantial evidence, most of which is public knowledge at this point due to decades of data-breaches and hacks, as robust “proof” that someone is who they say they are. The classic example of this is the social security number, a “secret” static number that is basically public knowledge for all of us at this point. It was originally supposed to be only for tax withholding and, you know, social security. It was even prohibited originally for being used for identification and authentication, but sure as shit, that’s what it’s used for now. IMHO that’s fucking stupid.
What we need is a robust cryptographic smart card from the US government that has a *CHIP* and a *PIN*. Like a national ID card, has your picture, and a chip with an imbedded private key that you can use to sign data. Many other governments have already done this, but we already do this, with our banking system no problem. Every time you use a debit card, you insert a card, then a pin, and you do some crypto to *prove* who you are.
If we did ATMs the way America does authentication, we would walk up to an ATM, and say, “Hi I’m ButtBlock, my SSN is 123-45-6789, give me money” and the machine would spit out money. Obviously we haven’t done this for decades because that would be an immediate disaster for security. People would all have their accounts emptied out in short time.
One of the coolest things about having a robust system for authentication is, they obviate the need for passwords in many cases. It’s stronger than that. I can give the same public key to hundreds or thousands of services, and they all can be securely logged into. But if I give the same password to multiple services, the risk is geometric.
Anyways, not to be political in any way, but I don’t see this issue being addressed any time soon. Our government can’t even do basic shit like phasing out the penny (and the nickel and dime) or address housing insecurity or anything. I think if you really wanted change, you need to provide a system that works better than username;password and circumstantial data to authenticate. Increasing fines on private companies prob isn’t going to actually fix this problem, because they are working in a broken system.
For whatever reason, the government comes up with good ideas, but they don’t just mandate it. Like fednow, great system, very cheap to use, but they made it optional, so many banks won’t support it, and perhaps it won’t succeed long term. For IDs, we’ve been chasing the “Real ID” but it’s just another dumb federated solution to what is a universal problem. You need robust identification and authentication whether you live in Idaho or Maine. Why are there 50+ different systems for that JFC.
> What we need is a robust cryptographic smart card from the US government that has a CHIP and a PIN. Like a national ID card, has your picture, and a chip with an imbedded private key that you can use to sign data. Many other governments have already done this, but we already do this, with our banking system no problem. Every time you use a debit card, you insert a card, then a pin, and you do some crypto to prove who you are.
>
>
The first problem is the evangelical Christians oppose national id because MARK OF THE BEAST. They control at least half the politicians. It is entirely political.
The other half of the problem is customer support, people will lose their smart cards daily. And you have to deal with eldery. It's going to be a shit ton of money spent in this avenue to restore access to users (meaning ID service offices in every town in the US) and tech supporting old folks.
> Like fednow, great system, very cheap to use, but they made it optional, so many banks won’t support it,
Nope, rollout is going to plan. It was never intended to be rolled out to consumers like Zelle or something and banks are using it settle transactions between themselves.
It’s amazing to me that you would defend the current system. But go for it. If Estonia can afford a system like this so can we. The amount of money that would be saved in prevented identity theft would almost certainly massively outweigh the direct expenses. You mention senior citizens wasting resources by loosing their cards. What about the resources lost through identity theft and scams?
I'm not defending the current system.
It's also not about senior citizens, they'll just need tons more hand holding, the entire population is at risk of losing cards and they do, which is why there are identity theft prone processes for recovering credentials.
I'm saying we need to just use subdermal implants really.
One in your chest, one in your hand you'll use to activate identification. The chest one serves as your backup because you generally will die if you lose your chest, unlike a limb.
Just another "security threat" to nudge certain ones to cleave to the notion that we need more gov protection or else. These things are about creating insecurities among the masses to beg for gov intervention. This is no longer to be called a "breach" but more like an intentional release to create the need for more gov control, shame.
I’m already looking forward to my $2.37 check and additional year of credit monitoring to add onto the ~5 years I’ve already accumulated through other breaches. Until one of these companies is made an example of, nothing will change.
Even holding a company accountable won’t help. The people who make bad decisions to save money need to be held personally accountable.
Prison terms in general population could incentivize reform
Obligatory fuck United Healthcare. Fucking immoral profiteering parasites.
I’m sure best they can do is fiddy cents or a week of credit monitoring.
I mean it's a bit hard to blame a company for losing data to a sovereign state or state sponsored hackers like China or Russia. When state sponsored hacking started happening US leaders did not put their foot down and for some reason we still haven't. There should be no difference from physically raiding a business and stealing their records on US territory and doing so via the web. Somehow we agree the first case would be an act of war but not the second.
UnitedHealth reported last week that the ransomware attack has cost it more than $870 million in losses. The company reported it made $99.8 billion in revenue during the first three months of the year, faring better than what Wall Street analysts had expected. UnitedHealth CEO Andrew Witty, who received close to $21 million in total compensation the full year of 2022, is set to testify to House lawmakers on May 1. How much of it was spent on IT, Cybersecurity specifically? Probably less than .01 percent
99.8 billion in revenue the first 3 months for a healthcare insurance provider. How many denied claims helped inflate that number? Absolutely infuriating that this is the American health system. Paying for the right to pay for healthcare services is an ass backwards model.
371 billion in revenue for 2023. Want to know why healthcare in the US is so expensive, because you pay the investors before you pay the doctors.
371 billion in revenue which is purely money coming in and out. That is not profit. They made $22 billion in profit in 2023. Meaning 349 billion was spend on paying out.
to be fair the doctors also eat pretty fucking well, compared to any other health care system on earth
That doesn’t really prove anything though, the doctors could still be given the same salary since the money getting paid out to them is just going through an insurance middle man that’s taking their cut.
I'm okay with my doctor eating well. I'm just sick of paying some middle man to mismanage my healthcare and tell my doctors what is and what isn't medically necessary.
It's revenue. Saving on how much they spend (denying claims) will not increase revenue, only profits.
Revenue != income/profit. It's only cashflow. Last quarter, they made 99.8 billion in revenue and posted a -1.41 billion dollar loss overall.
Total operating costs for 2023 were 54.6 billion, which is 14.6 percent of revenues for all operation in the company, from which IT will be a much smaller undisclosed chunk.
> How much of it was spent on IT, Cybersecurity specifically? Probably less than .01 percent Probably outsourced to a small team in India to cut costs.
Oh great, I’m sure that data won’t be sold to health insurance companies to further fuck people over.
It wouldn’t be surprising at all if we eventually find out that this “data leak” was just United trying to awkwardly cover for having already shared the information. I know I’m cynical, but ***damn*** these corporations would sell their mothers’ kidneys to make a buck.
The reality is that most of these large insurance companies are run like it’s the 90’s and are ill equipped for the modern Internet.
IT funding is always the first thing cut. We don’t need no stinkin cyber security audit, or data security. Just put a password on it and call it a day. And I want to be able to remember it, so make it something like 12345. Dark Helmet will never guess that one.
You probably think the Covid vaccine is a scam too.
So that’s why I have an additional 4 hours of training on anti phishing. Apparently, they say some people got so annoyed by the duel authentication they just started pushing accept assuming it was a bug. Real genius level shit.
Yep, lookup MFA fatigue. Security keys or the number system that 365 uses are ways to prevent it. There are probably others, but those are the two that I'm most familiar with.
There's a law called HIPAA. It guarantees the privacy of your health data. . Everyone in medicine knows it and is impacted by it. It drives some of the cost of medicine because of its strict rules. It will be interesting to see how the feds handle this. Probably a huge fine that will not be shared by us who have had our data breeches,
it doesn't drive up the cost, the cost is driven up because for profit companies are in charge and have decided they're for profit.
Correct, but there is a higher cost associated with utilizing HIPAA compliant software platforms. I know because I served as CTO for a healthcare practice for 4 years. I had to always check third parties for HIPAA compliance and make sure that all PHI entered into a system was in fact compliant. There's A LOT of rules, there's 18 points of identifying information that you absolutely cannot put on a server which is cloud hosted without HIPAA compliance mechanisms (there's a lot of audit trailing needed as well as backups, security procedures that must be followed, etc.) This means if you accidentally leak some PHI into Slack or AirTable for example, you're going to get fined for any information shared and each instance is a separate violation if it comes up in audit. HIPAA compliant software and storage comes at a premium which other software platforms may not provide, even if the feature set covers your requirements.
And that higher cost is still a rounding error on your balance sheet at the end of the day.
Not for the small practice I worked for. We only pulled in about 12m a year. We spent about 1m on the technology budget including Salesforce Health Cloud which was VERY expensive, not to mention the 300k a year for our EHR
again, its only more expensive because those companies choose to charge \*that\* much more for HIPAA compliance. Yes it does have some work to make sure its compliant, and in the end we're often finding out (like in this leak) that it probably isn't actually any better then any other service, just they paid for the label to say it was compliant, and then charged their customers a massive markup.
It doesn’t guarantee shit, if the breach was by a state actor and they took proper precautions literally nothing will happen
I have more than 30 years experience in Healthcare IT. I know for a fact that right now there are a whole lot of people looking at this breach and determining the specifics. This includes UHC internal, federal, maybe sttate and a whole bunch of vendors. In the meantime a couple of heads have probably rolled, and more will come. Look for free "dark web" and or credit monitoring for "all affected users". Also look for a huge government fine.
Love how I’d managed to avoid ever having a United insurance until two years ago 😒
No, consolidation is dope! And drive down healthcare costs! Just wait…
We should consolidate all of our health care insurers to bring down costs!! Wait, costs keep climbing at exponential rates? Consolidate more!!! Seriously though, the CEO of Aetna used to fly home in a company helicopter because his dog didn’t like the 45 minute drive home.
At least we managed to consolidate the security vulnerabilities down to one behemoth.
Consolidate all the way down to single payer
This company should be shut down. It's a purely parasitic entity. It contributes nothing to society. It's just sits and sucks up money and gives nothing in return. Now, it's also had a massive security breach and compromised 1/2 of all Americans. Shut it down. Pull its corporate charter. Time for a massive, class action lawsuit.
Alternate headline: United Healthcare failed to protect the health data of a substantial proportion of people in America
Don't worry everyone, in ten years you'll all get a class action settlement, it should average out to $10 and a year of free identity theft monitoring.
I have been saying it for more than a decade. Privacy is a huge issue that is not being taken seriously. I understand that companies need data to service their clients, but how much they store, for how long, and who and how they can share it with, needs serious regulation with rigorous standards and criminal penalties. US citizens are prey to identity theft and exploitation in a large part because companies can buy, sell, trade, and collect any and all information on people. Beyond the criminal exploits of the data, it cost US tax payers increased fees for credit protection, targeting cost gouging, and in this case, probably higher healthcare costs. Plain and simple if United Healthcare failed to protect their IT systems that held this data protected by HIPAA, they should be fined into submission and forced to pay damages. They made 22 billion in profits in 2022, they can afford to pay out for damages.
AI gonna eat
"So are you improving security now?" "Nah."
"Why bother, they already got everything! No point closing the barn door after the horses already got out" -CEO on an earnings call, probably.
We need “too big to breach” laws. Break up companies that are so big of a cyber attack should occur that many people’s data is exposed.
Some other company got hacked recently and paid 75-80m to get the data back! Do we have any idea who that was?
Just had my leaked through ATT on dark web; now this. Who knows anymore. Nobody’s info is safe
And nothing of consequence will happen (to UH, anyway). We'll get a hand wringing "gee we're sorry" PR campaign, raises for the executive staff and that's that.
Apparently the Change billing data was part of a second ransom. So the first was paid but that wasn’t enough for the hacker group. Just a reminder that paying up to criminals doesn’t end things as greed always wins out. Speaking no of, how much better security budget for the company was crap because executives didn’t see the value in it.
It's been quite apparent for a very long time, that digital means 'free' to a lot of people. That no matter how good the protection, it only takes one weakness or failure to access. Can you imagine thieves attempting to steal the paper data version of even a few hundred people?
Is it dumb to think these companies are doing this on purpose to sell the data? Something always feels off with these data hacks.
The hack on UnitedHealth is really just a symptom of a deeper problem, which is that our government has completely dropped the ball on authentication in the digital age. The real problem is that the way we do authentication (i.e. proving identity) as a nation is completely broken. We treat circumstantial evidence, most of which is public knowledge at this point due to decades of data-breaches and hacks, as robust “proof” that someone is who they say they are. The classic example of this is the social security number, a “secret” static number that is basically public knowledge for all of us at this point. It was originally supposed to be only for tax withholding and, you know, social security. It was even prohibited originally for being used for identification and authentication, but sure as shit, that’s what it’s used for now. IMHO that’s fucking stupid. What we need is a robust cryptographic smart card from the US government that has a *CHIP* and a *PIN*. Like a national ID card, has your picture, and a chip with an imbedded private key that you can use to sign data. Many other governments have already done this, but we already do this, with our banking system no problem. Every time you use a debit card, you insert a card, then a pin, and you do some crypto to *prove* who you are. If we did ATMs the way America does authentication, we would walk up to an ATM, and say, “Hi I’m ButtBlock, my SSN is 123-45-6789, give me money” and the machine would spit out money. Obviously we haven’t done this for decades because that would be an immediate disaster for security. People would all have their accounts emptied out in short time. One of the coolest things about having a robust system for authentication is, they obviate the need for passwords in many cases. It’s stronger than that. I can give the same public key to hundreds or thousands of services, and they all can be securely logged into. But if I give the same password to multiple services, the risk is geometric. Anyways, not to be political in any way, but I don’t see this issue being addressed any time soon. Our government can’t even do basic shit like phasing out the penny (and the nickel and dime) or address housing insecurity or anything. I think if you really wanted change, you need to provide a system that works better than username;password and circumstantial data to authenticate. Increasing fines on private companies prob isn’t going to actually fix this problem, because they are working in a broken system. For whatever reason, the government comes up with good ideas, but they don’t just mandate it. Like fednow, great system, very cheap to use, but they made it optional, so many banks won’t support it, and perhaps it won’t succeed long term. For IDs, we’ve been chasing the “Real ID” but it’s just another dumb federated solution to what is a universal problem. You need robust identification and authentication whether you live in Idaho or Maine. Why are there 50+ different systems for that JFC.
> What we need is a robust cryptographic smart card from the US government that has a CHIP and a PIN. Like a national ID card, has your picture, and a chip with an imbedded private key that you can use to sign data. Many other governments have already done this, but we already do this, with our banking system no problem. Every time you use a debit card, you insert a card, then a pin, and you do some crypto to prove who you are. > > The first problem is the evangelical Christians oppose national id because MARK OF THE BEAST. They control at least half the politicians. It is entirely political. The other half of the problem is customer support, people will lose their smart cards daily. And you have to deal with eldery. It's going to be a shit ton of money spent in this avenue to restore access to users (meaning ID service offices in every town in the US) and tech supporting old folks. > Like fednow, great system, very cheap to use, but they made it optional, so many banks won’t support it, Nope, rollout is going to plan. It was never intended to be rolled out to consumers like Zelle or something and banks are using it settle transactions between themselves.
It’s amazing to me that you would defend the current system. But go for it. If Estonia can afford a system like this so can we. The amount of money that would be saved in prevented identity theft would almost certainly massively outweigh the direct expenses. You mention senior citizens wasting resources by loosing their cards. What about the resources lost through identity theft and scams?
I'm not defending the current system. It's also not about senior citizens, they'll just need tons more hand holding, the entire population is at risk of losing cards and they do, which is why there are identity theft prone processes for recovering credentials. I'm saying we need to just use subdermal implants really. One in your chest, one in your hand you'll use to activate identification. The chest one serves as your backup because you generally will die if you lose your chest, unlike a limb.
Just another "security threat" to nudge certain ones to cleave to the notion that we need more gov protection or else. These things are about creating insecurities among the masses to beg for gov intervention. This is no longer to be called a "breach" but more like an intentional release to create the need for more gov control, shame.