By Penny Cagan, Lecturer in the Enterprise Risk Management Program, School of Professional Studies
I am an operational risk professional who has spent some portion of my career tracking operational risk losses. I founded one of the first operational risk event databases in the industry and managed operational risk event programs in large financial institutions. I teach operational risk through the Enterprise Risk Management program, where I bring examples of current events to my class each week.
A recent event that serves as a reminder of how operational risk has consequences for every industry has impacted me personally. My heart sank when I received a notice from UnitedHealthcare that my personal data was compromised through a ransomware attack. The letter from UnitedHealth indicated that insurance, health, billing, and personal data were compromised through an attack on UnitedHealth Group’s Choice subsidiary. There is nothing more confidential and personal than the data that was exposed. I am in good company because the estimate is that approximately 110 million people may have been impacted by this event, including many Columbia employees and students.
Ransomware fraudsters are increasingly attacking health-care companies, and UnitedHealth is one of several recent examples. Attacks on health-care companies are especially troubling because of the deeply personal information that is exposed. There are industry examples of bad actors demanding ransomware payments not only from the companies they attacked but also from their patients, who may not want their personal information to be made widely available to their employers, family, and community.
The story of UnitedHealth is also a complicated one concerning whether a ransom should be paid in exchange for alleged safe retrieval of data. In March 2024, a ransomware group called AlphV claimed credit for the attack and threatened to leak the company’s data if a $22 million payment in Bitcoin was not received. The event disrupted delivery of prescription drugs and processing of medical claims by pharmacies and medical practices. UnitedHealth confirmed that it paid the ransom to protect patient data.
In a noteworthy but unsurprising coda considering who UnitedHealth had dealt with, an entity called RansomHub, emerged a month after the ransom was paid claiming it had access to the compromised data, which it posted to its dark-web site. It threatened to sell the data to the highest bidder if UnitedHealth did not pay an unspecified second ransom, which the company may have paid, though this is unverified.
Health-care companies are vulnerable to such attacks because they collect highly personal information that organizations may be willing to buy back with urgency through ransom arrangements. Health-care organizations, including hospitals and medical centers, have often underinvested in controls. UnitedHealth allegedly failed to fully implement multi-factor authentication, which is a basic multilayered control used to protect a firm’s data from bad actors. UnitedHealth CEO Andrew Witty told the U.S. Senate in May 2024 that the company has now enabled multi-factor authentication on all the company’s external-facing systems.
The UnitedHealth event is a cautionary tale for how at risk we all are. It does not take a leap of imagination for a bad actor with access to confidential health information to attempt to blackmail a public official or corporate executive. Next time you check in for a medical appointment and are asked for your date of birth, Social Security number, and health history, you may want to ask about the organization’s cybersecurity controls.
About the Program
The Master of Science in Enterprise Risk Management (ERM) program at Columbia University prepares graduates to inform better risk-reward decisions by providing a complete, robust, and integrated picture of both upside and downside volatility across an entire enterprise.
