How Data Inference Could Expose Customer Information: The Case of UnitedHealth Breach

In 2024, we’ve seen several high-profile data breaches that have caused tangible and widespread damage to companies and their customers. One of the hardest-hit industries also includes one of our most critical: healthcare. The UnitedHealth data breach has had ripple effects since the initial news hit earlier this year.

It was recently revealed that the data breach will impact a large portion of the American people, and up to one in three Americans may have had their information compromised. This has been one of the worst healthcare breaches ever, and as the consequences keep emerging, the grim truth of exposing this personal data becomes clear.

This is what an expert had to say:

Clyde Williamson, Product Manager, Protegrity , said, “Months after the initial breach, UnitedHealth is still dealing with the long-term impacts of BlackCat’s infiltration into their networks. We’re now learning that personal identifiable information (PII, personal health information (PHI), and billing information were all part of this incident.

While in this instance no complete patient information has been exposed, billing information can be just as revealing for a customer’s private medical procedure. For example, this information could include details on a prescribed drug, a specialist seen, or even of an out-of-state charge for a medical procedure when recent legal changes may make this legally problematic.

Not only do these kinds of incidents expose some PII data, but they also expose inferences that can be made with that data.

Stolen data has a wide-reaching and long tail of impact, and there are often subsequent breaches years after a primary attack. There’s no way to know for sure that either party involved actually deleted the stolen PII and PHI, but we can be sure that broader bad actors had access to this information for a period of time.

Double extortion scenarios can haunt these organizations for years, meaning prevention is the best defense. UnitedHealth has already started the arduous process of creating a website for impacted customers. We must stop hoping layered defenses can stop threat actors from stealing our information while internally leaving it in clear text. Data de-identification methods offer flexibility and foresight benefits that render sensitive data useless for these groups.

We need to remove the most significant source of ransom value to avoid these costs and strains on both organizations and their customers, even in instances of data exfiltration.”


No posts to display