Is your data safe? What UnitedHealth's cyberattack teaches us about security

Do employers really know how safe their data is? UnitedHealth's payment processing company Change Healthcare found out the hard way after being hacked last month — and the consequences are staggering.

Change Healthcare is responsible for 14 billion clinical, financial and operational transactions each year, according to its website, and processes an estimated 50% of medical claims in the U.S. To put it lightly, Change Healthcare's cyberattack on Feb. 21 put American provider and patient data at risk, and now the U.S. government is opening an investigation to find out how much data has been breached and if the company has complied with HIPPA (the Health Insurance Portability and Accountability Act), which protects patient information.

"Ransomware attacks like the one on Change Healthcare aim to stop organizations from functioning by using encryption to make critical systems unusable," says Mark Stockley, cybersecurity expert at Malwarebytes, an anti-malware software company. "Attacks are carried out by criminal hackers who break into vulnerable organizations, explore their networks, steal valuable data and quietly distribute their ransomware to as many computers as they can."

Read more: Alabama has updated its IVF ruling. What can employers learn from it?

Providers under UnitedHealth are struggling to get reimbursed for their services, and patients are struggling to access medications as the healthcare company tries to restore medical claims and electronic payment access. This means hospitals and pharmacies are left to wait and absorb an unfathomable financial burden. The U.S. Department of Health and Human Services has asked insurers to waive certain authorizations and accept physical bills from doctors and hospitals — but those can take months to process.  

UnitedHealth stated these services should be up and running later this month, but there's no fixing the breach itself. The American Hospital Association has deemed this attack the most "significant" event of its kind in the history of the U.S. healthcare system. 

Read more: Ed Ligonde shares the 'why' that guides his career in benefits

Stockley stresses that cyberattacks are only becoming more common, with the Office for Civil Rights seeing a 256% increase in large breaches in the last five years. He advises employers to consider whether they're prepared to prevent and detect intrusions.

"Block common forms of entry: Create a plan for patching vulnerabilities in internet-facing systems quickly," says Stockely. "Use endpoint security software that can prevent exploits and malware used to deliver ransomware. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently."

Read more: Does your disability insurance cover long COVID? What's at risk for employers and employees

He also suggests companies create offsite, offline backups to their office tech, where essential business functions can still be accessed even if there is a breach. Stockley points out that it's common practice for hackers to hold data hostage unless they are given a large sum of money, after which they return access or delete the data they stole.

Only time will tell if UnitedHealth can fully recover its services, but in the meantime, providers and patients are feeling the impact. It is a stark reminder that employers should take action to protect themselves.

"Last year, ransomware gangs were paid more than $1 billion in ransoms," says Stockley. "[These attacks] are set to get worse because it's extremely lucrative, and the gangs behind the attacks are very hard to stop."