The new evidence suggests that more than half of the US population has been touched on ransomware attacks on healthcare changes in United Health subsidiaries.
One of the largest data infringements recorded so far was attacking change health care last year. Change's technology services include hundreds of vendors, research institutes, thousands of hospitals, tens of thousands of pharmacies, and hundreds of thousands of doctors and dentists. “Almost all governments and commercial payers“According to the company's document. These services inevitably wipe out information (PII) that many patients personally identify. Eventually, I crossed the hands of several ransomware actors。
Late last year, it was reported that the case had influenced about 100 million Americans. Currently, UnitedHealth has updated its number to about 19 million. A company spokeswoman checked it in a statement in a statement in Dark Reading, and added that “the majority of these people have already provided individuals or alternative notifications.”
Changing cyber attack story
At a concert last February, a pharmacy from all over the United States experienced Significant delay of prescription orders。 Behind it, Healthcare, a representative of $ trillions of medical claims, has been changed behind it.
The company first stated that he had suffered from the intrusion of the nation -state. In fact, it was an old ransomware attack (later) I will pay $ 22 million) And this was not the wrong important details.
In June, the change in Healthcare eventually sent a notification of data compromise and revealed that a total of about 100 million customers were in total. However, on Friday, UnitedHealth Group has released its numbers to another 90 million.
In the updated online notification of data infringement, the company acknowledged it Hackers may have acquired various personal identification information (PII) Patients and guarantors include surname, date of birth, phone number, house address, and email address. Social security numbers have been lost only in “rare cases”, and in the e -mail to Dark Reading, the spokesman says that the change in healthcare is “no electronic medical record database is displayed in the data during the analysis”. I claimed.
“As a result of this case, the change in health care has not recognized misuse of personal information.”
However, Paul Bischoff, Comparitech's consumer privacy advocates, stated that “all press releases in the data release have no evidence that your information was abused or misused.” But obviously, they are not really looking for them for those abuse cases, and they never know if it actually happened. Data infringement that caused it. “
If the disclosure of data infringement does not go well
Securities and Exchange Commission (SEC) Data infringement disclosure rules It requests that the public company discloses the “material” cyber security case within four days after being warned to them. The same rule also applies to material updates to violate disclosure, such as when it is found that the attack has been almost twice as double that of the victims once considered.
Despite these rules, companies have been able to investigate the important aspects of violations and take a wide range of time to deal with them. For example, we acknowledge that 100 million people were affected for four or nine months to notify the customer of the case and renew the number to 190 million, changed 4 months. It took a month.
But Bishov hesitates before suggesting that what is needed is even more strict regulations. “It's a complicated theme. Because it's because you reach such a burden on the company. Because companies are victims in these situations, I would like to punish them incorrectly. No, “he says.
At the same time, we often see that we often see that these companies have finished the survey and take too long to notify the victims, sometimes they have people's data. It may take more than a year, so we know who knows it because it is as fresh as possible. I think more strict standards are needed.
