It seems as if we’re reading about a ‘historic data breach’ or ‘call to action’ for better data security every day now. This time around, anyone who’s ever sought healthcare in the United States or United Kingdom has a reason to care.

What Happened?

Change Healthcare is a U.S.-based technology company that creates software for healthcare providers. Over one million doctors, nurses, therapists, and other highly relied-on professionals use its cloud-native products to manage patient information. In other words, a reach large enough to impact the country’s healthcare system as a whole.

That’s exactly what the collateral damage was when cyber criminals attacked Change Healthcare’s systems on February 21st, 2024. They used a popular weapon of choice, ransomware, to strongarm the company into paying a hefty price for restored access to patient data during the data breach. While it’s generally ideal not to give in to such demands, the company recently admitted that it indeed transferred $22 Million to the hacking group BlackCat/ALPHV. Unsurprisingly, the criminals didn’t keep their word, and as is often the case in these scenarios, patient data still ended up on the dark web.

U.S. healthcare providers have since struggled to put out a massive fire of patient backlash while also aiming to recover from the attack’s impact on their operations. Because Change Healthcare’s software is mainly used for billing and claims processing, many networks are now dealing with significant cash flow problems.

How Did It Happen?

With so much lost and so many impacted, it’s reasonable to ask why and how all this happened in the first place. Change Healthcare attributes the cyberattack to plain-old complacency. The company reportedly failed to update its systems with multi-factor authentication (MFA), which acts as an extra layer of security by requiring a secondary form of identification, such as a code sent via phone or email. It only took one non-updated server for attackers to access a Change Healthcare Citrix portal with compromised employee credentials. From there, they could get their hands on a wealth of Personally Identifiable Information (PII) and hit the black market.

Why Healthcare Is Always the Victim

Attentive news-watchers will notice that this is far from the first time a healthcare provider has been attacked with ransomware. It’s unfortunately a regular occurrence both in the United States and around the world – incidents cost just under 11 million U.S. Dollars on average between March 2022 and March 2023. This isn’t a coincidence.

Hospitals, doctor’s offices, and other care settings are prime targets for the PII they handle. In a world where regular usernames and passwords have decent market value, sensitive information like medical records, social security numbers, and financial data is a virtual goldmine.

Of course, there’s no getting around the reality of how modern healthcare works. Especially after the COVID-19 pandemic, more and more patient records have gone digital. This makes it easier for doctors and nurses to access and share information but also increases the risk of a data breach.

It’s also worth acknowledging how privatization plays a role in overall risk. As many already know, the U.S. healthcare system is primarily driven by profit. Most citizens aren’t afforded government coverage for hospital visits, appointments, or surgeries, and must take out private insurance plans. Care providers also operate more like businesses than anything else. They have the liberty of not only setting their own prices but also running their operations with whatever software they deem fit. That becomes a threat to patient data security when external vendors are not properly vetted and held accountable.

How the U.K. Is at Risk

So, why does this matter to the U.K.? Change Healthcare just so happens to be a subsidiary of the larger international company UnitedHealth. It holds a multi-million Pound contract with the NHS to provide software for doctor-patient communications, appointment scheduling, prescription renewal, and more. The U.K. subsidiary handling the deal is just one of many private companies that have recently partnered with the federal government. Last year, big data analytics company Palantir received several large massive contracts from NHS England. Advocates are concerned that opening up patient data to private companies like these poses a significant risk to privacy and security.

There are some differences to note between America’s and Great Britain’s situations, however. Healthcare in the U.K. remains primarily publicly funded, and these private contracts are with the NHS rather than your local doctor’s office. The U.K. also has stricter data privacy laws than the U.S., such as the General Data Protection Regulation (GDPR).

Nonetheless, any attack on this company’s systems could have devastating effects on individuals across the nation. Just one UnitedHealth service currently used by the NHS, Patient Access, currently maintains a user base of 17 million. Last year, care providers and patients in the U.K. collectively made 1.4 million family doctor appointments and ordered 19 million repeat prescriptions through the platform.

Now, as UnitedHealth dually gains attention and funds from this new deal, the onus is on them to step up. Doing the right thing can mean taking the extra time to implement additional security measures, or even going beyond what is legally required to protect patient data. And while it may come at a greater cost and effort on their part, the potential consequences of a data breach far outweigh any financial or time constraints.

The Takeaway

The NHS already has its fair share of problems. The last thing that’s needed right now is a data breach. Luckily, stories from across the pond can teach us lessons about what to look out for, and more importantly, what can be done to prevent such outcomes from happening in the first place. It all ties back to the idea of accountability. Whether private service providers are involved or not, anyone handling the highly sensitive information of UK healthcare patients needs to be committed to data security. Not only that, but they must actually practice what they promise – doing the hard work of regularly maintaining and enforcing the policies that stand between PHI and cybercriminals. 

Strengthen Your Cybersecurity with TeraDact’s Solutions

The recent cyberattack on Change Healthcare underscores the urgent need for robust cybersecurity within the healthcare sector, emphasizing the implementation of multi-factor authentication (MFA) for all sensitive data access points. It also highlights the necessity for swift response and recovery plans to mitigate future attack impacts. Moving forward, prioritizing the enhancement of cybersecurity frameworks is essential to defend against the evolving digital threats of today.

If your organization aims to strengthen its data protection strategies, consider TeraDact’s comprehensive security solutions. TeraDact seamlessly integrates with major databases and cloud services, offering resilient data protection. Its user-friendly interface and dashboard simplify data security management across multiple locations, making it easy to safeguard your data. Try for free today and take a crucial step towards fortifying your cybersecurity.