[HN Gopher] UnitedHealth Group has paid more than $2B to provide...
___________________________________________________________________
UnitedHealth Group has paid more than $2B to providers following
cyberattack
Author : udev4096
Score : 85 points
Date : 2024-03-21 13:37 UTC (9 hours ago)
(HTM) web link (www.aol.com)
(TXT) w3m dump (www.aol.com)
| gravescale wrote:
| Funny how that money wouldn't have been there when someone
| suggested doing it right in the first place.
|
| Of course the MBAs see this as a win as their names aren't on
| anything except the profits at the time. Parasites.
| kurthr wrote:
| This (IT Integrity Charge) will become a line item on your
| medical bill. All the other providers will follow, prices go
| up, insurance companies make more money, and "shareholders" see
| high returns!
| natoliniak wrote:
| > We continue to call on Congress and the Administration to
| take additional actions now to support providers
|
| ah yeah, the old socializing losses and privatizing profits.
| dsr_ wrote:
| At what point will cybersecurity firms arrange deals with
| cybercriminal organizations to keep the money flowing?
|
| * protection for our clients
|
| * drum up business for the market as a whole
|
| * make competitors look bad -- especially if they get attacked
| directly
|
| After all, breaking a window makes money for the glaziers.
| qaq wrote:
| cybercriminal organizations pull way more $ than cybersecurity
| firms do
| null0ranje wrote:
| Maybe when supply outstrips demand? It looks like there is more
| than enough business for the foreseeable future that there is
| no need to restore to protection rackets.
| whimsicalism wrote:
| this has already happened in a few notable cases with ddos
| protection providers, it's basically digital rico
| throwup238 wrote:
| Cloudflare?
|
| They provide DDoS protection to DDoS providers that would
| otherwise have taken each other down, so those providers can
| find clients for their services which further necessitates
| Cloudflare's main product.
| htrp wrote:
| https://xkcd.com/250/
|
| also I think there was a thing on krebs where a reputation
| defender company was also operating one of those mugshot search
| sites
|
| https://krebsonsecurity.com/2024/03/ceo-of-data-privacy-comp...
| costco wrote:
| UCEPROTECT has mastered the email blacklisting protection
| racket. Randomly list IP space on blacklist, force payment for
| removal, ???, profit.
| ixaxaar wrote:
| Good. Also, don't hire good devs, only hire the cheap ones in
| India.
|
| Money saved can be paid to these providers. That way, the money
| stays in the us. A 10k IQ move that no one will understand.
|
| /s ov course
| qaq wrote:
| It's to a degree orthogonal to devs your hire as well resourced
| APT will be able to penetrate any org regardless of quality of
| developers an org hires.
| peteradio wrote:
| Inevitably the cause of the breach will be something like an
| open firewall.
| bluGill wrote:
| 70% of security vulnerabilities in code are memory safety
| issues. However the vast majority of in then wild attacks
| were not against security vulnerabilities but against
| people. No technology can protect you from someone giving
| out the secret keys to the attacker.
| waihtis wrote:
| just false, if you look at most of the ransomware cases
| for example. This whole fixation of "human layer
| security" has done more harm to cybersecurity than many
| actually malicious things. Wasting your money and
| resources on training Karen from HR to spot 20% more
| phishing emails yields exactly the results you'd think it
| does.
|
| I hope we can get out of that nonsense and tackle cyber
| issues with actual technological investments as it should
| and can be done.
| loeg wrote:
| The technology solution here is not allowing Karen from
| HR to have a password at all and instead using something
| like Yubikey + FIDO, which can't be phished.
| bluGill wrote:
| Which is great until someone who might or might not
| really be "Karen from HR" says they lost their Yubikey
| and needs a new one. This workflow must exist, but it is
| generally easy for an attacker to get authenticated by
| that system.
| loeg wrote:
| That is a significantly higher barrier than phishing.
| bluGill wrote:
| The only part of what you said that disagrees with me is
| the words "just false". I don't know how to ensure "Karen
| from HR" doesn't fall for those things, but training is
| clearly not enough (or at least current training, I'm not
| hopeful for future efforts but...). Either way, since the
| attack wasn't against something a programing language can
| protect against no amount of fixing programming languages
| will help.
|
| We need come up with answers that work despite humans not
| being perfect. This is a hard problem. (what gets hard is
| sometimes someone will lose/forget a key and so you need
| to issue a replacement but only to the correct person)
| waihtis wrote:
| i wrote a different reply initially but i think we agree
| after all, and i misinterpreted your original post.
| ixaxaar wrote:
| _Any_ org? Would, for example, openai be included in your
| definition of "any org"?
|
| Look, "in principle" stuff is not how the real world works.
| AFAIK, hacks happen mostly because of carelessness. No one
| cares because no one cares if they care (and the
| compensations etc reflect that). I know enough such cases in
| fintech (forget about other verticals), which are mostly
| stupid like wrong RBAC, open firewall, AWS keys taken by
| roommate etc and not public of course.
| nradov wrote:
| Foreign governments are almost certainly trying to insert
| intelligence agents as employees in OpenAI, and other high
| profile technology companies. We already know that Saudi
| intelligence infiltrated Twitter. There are likely many
| other such agents in other companies.
|
| https://www.nbcnews.com/tech/security/former-twitter-
| employe...
|
| There are certain security measures which can minimize
| insider threats. But ultimately it's just hard to guard
| against agents who are willing to commit felonies in order
| to carry out their missions. Even defense industry
| companies which have tight security over classified
| information have been repeatedly penetrated.
| Veserv wrote:
| Yes. _Any org_. A few million dollars guarantees you
| unrestricted access to any network-connected system.
|
| The upper bound of security is unable to make attacks with
| a 10 M$ return unprofitable. Raising the lower bar just
| raises the barrier to entry for new participants, it does
| not stop existing ones.
|
| Most attacks do use basic techniques since a 10 M$ payout
| on 10 K$ cost is still better than 10 M$ payout on 1 M$
| cost. No point wasting the good stuff when the basic and
| cheap stuff works just as well. But if you get rid of all
| the cheap ways in they will still attack using the more
| expensive stuff since the payout is still wildly
| profitable.
| qaq wrote:
| Almost 90% of breaches start with an email so code your
| developers write have very little to do with primary attack
| vector. You have to realize that well resourced APT like
| say APT-29 actually run research labs where among other
| things they test their exploits against all top tier
| Endpoint security solutions. So if you are a target of well
| resourced group they are going to get in.
| nradov wrote:
| There's no evidence that this attack was due to poor UHG
| developer quality. It appears to have been an infrastructure
| security vulnerability in the Change Healthcare business unit,
| which UHG acquired just last year.
| peteradio wrote:
| > It appears to have been an infrastructure security
| vulnerability in the Change Healthcare business unit
|
| UHG developers would be responsible for the infrastructure
| right? And wouldn't Change have been brought under the UHG
| network?
| infamouscow wrote:
| I worked in healthcare tech for 10 years.
|
| I would bet my life savings UHG developers pleaded with
| management for years to get the resources they desperately
| need to resolve these problems, but management ignored
| every request because it didn't have any external impact.
|
| Management in healthcare tech is comprised entirely by some
| of the most mind boggling idiots on Earth, whose only
| qualification might be being an adult, since their ability
| to read, write, and comprehend information is universally
| worse than a child. This is without exception, in my
| experience.
| willcipriano wrote:
| Step one: ask for resources until you stop getting them
|
| Step two: avoid all accountability for anything that ever
| happens as the resources offered to you are finite
| nradov wrote:
| No, developers aren't responsible for infrastructure. Most
| large enterprises have separate specialized positions for
| sysadmin, networking, storage, firewalls, etc.
| adventurer wrote:
| Pretty sure they aim to outsource 70% going forward so this
| isn't as clever a joke as you would hope.
| peteradio wrote:
| > The Biden administration announced Wednesday that it has
| launched an investigation into the company due to the
| "unprecedented magnitude of the cyberattack."
|
| Let the coverup begin, well actually they probably started wiping
| days after the attack.
| briffle wrote:
| The 2 old datacenteers are still sitting there with Mandiant
| doing a full investigation since the attack started.
|
| They have been migrating all their services for that business
| they bought to the cloud, and have already started turning up
| several services.
| eli wrote:
| To be clear: they haven't "lost" any money here. They probably
| genuinely owe providers $2B. They just don't know exactly how
| much until the billing systems are back online, at which point
| they'll reconcile.
| hammock wrote:
| Thoughts and prayers to their accounting department
| jollofricepeas wrote:
| Yes.
|
| These are the payments owed by plans.
|
| UnitedHealth is also advancing money to some providers as well.
|
| See: https://www.unitedhealthgroup.com/ns/changehealthcare.html
| pwizzler wrote:
| A drop in the bucket compared to how much they normally transact,
| but it _sounds_ like good PR.
| cellis wrote:
| Wow aol is still a thing? Just a news site? Brings me back...
| ethbr1 wrote:
| Noticed this a few years ago too.
|
| Expect there was too much traffic to the domain for the current
| owner to abandon.
|
| The Wayback machine on it, through the decades, is fascinating
| if you're curious.
| autoexec wrote:
| AOL was the Google of its day. It _was_ the internet for most
| people. Even the strongest giants can fall. It gives me hope
| for a future where someone asks "Wow Google is still a thing?"
| dragonwriter wrote:
| > It was the internet for most people.
|
| It wasn't, though. It was the largest, but never majority
| (except that I think it peaked with an absolute majority of
| CDs pressed by AOL CDs, which was an achievement, I guess.)
| FredPret wrote:
| The healthcare market in the US is crazy. UnitedHealth has
| revenues of $90b _per quarter_ , up from $20B 15 years ago:
| https://valustox.com/UNH
|
| They only make a 6% margin, but still. That's a ton of cash.
| ericmcer wrote:
| The health insurance industry makes more money than the oil
| industry. It isn't a coincidence that most of our taxes go to
| healthcare and the top grossing industries are all built around
| it.
| lotsofpulp wrote:
| Oil business earns far more profit at far higher profit
| margins. Exxon alone earns more profit than all managed care
| organizations (health insurance companies) some years.
|
| Revenue that is 95% paid to vendors and employees is not an
| interesting statistic, on a company level.
| takinola wrote:
| The US has a population of 300 million people. This works out
| to just $300 per person per quarter (or $1,200 annually). Given
| almost 20% of the population is over 65 (old people really put
| up the healthcare cost numbers) and the sophistication of our
| healthcare system (we have the tech to keep you alive or
| prolong your life despite pretty hairy stuff happening to you),
| it is not a very surprising number. The real question is how to
| afford it all.
| drozycki wrote:
| Aren't you conflating UnitedHealthcare with the US healthcare
| industry? Your point still stands, just off by under an order
| of magnitude.
| takinola wrote:
| Yes, you are correct. UHC has 15% of the insurance market
| so my numbers are (roughly) off by an order of magnitude.
| ChrisArchitect wrote:
| Actual release from Monday:
|
| https://www.unitedhealthgroup.com/newsroom/2024/2024-03-18-u...
|
| (https://news.ycombinator.com/item?id=39750378)
| BillSaysThis wrote:
| From the press release, this paragraph is making me hit the
| exploding head emoji many times:
|
| "To assist care providers whose finances have been disrupted by
| the cyberattack, the company has advanced more than $2 billion
| thus far through multiple initiatives. The company recognizes the
| high level of fragmentation of the U.S. health system can result
| in uneven experiences, therefore it continues to enhance and
| expand funding support to make it easier for care providers to
| access funding help at no cost. To further assist care providers,
| the company also suspended prior authorizations for most
| outpatient services and utilization review of inpatient
| admissions for Medicare Advantage plans."
___________________________________________________________________
(page generated 2024-03-21 23:01 UTC)