It’s called PHI, or protected health information, and a recent ransomware attack put that very valuable data at high risk of public exposure. Change Healthcare, a subsidiary of insurance titan UnitedHealth Group, was the target of such an attack. The company provides its services to a massive number of hospitals, doctors, and pharmacies across the U.S., involving untold amounts of PHI belonging to roughly half of all Americans.

The Big Deal Steal

The company performs billing and insurance processing for a huge swath of healthcare-related services across the U.S. for an estimated 100+ million Americans. The company reports losing $827 million due to the attack so far, estimating the total damage at more than $1 billion by the time all is accounted for.

Although the company was not quick to inform customers as to exactly what was compromised, there are common elements collected as part of patient PHI. Those valuable nuggets of data include patient name; insurance ID number; physical, email and IP address; birthdate; Social Security number; driver’s license info; payment data; full-face photo; history of physical and/or mental health conditions and treatment.

Although paying a ransom is not advised, a UnitedHealth spokesperson said they paid the ransom demand to a new threat group called RansomHub “to protect patient data from disclosure.” However, they wouldn’t confirm the amount. Rumors are swirling about the price tag being $22 million in bitcoin.

Staying Ransom-Safer

In this case, RansomHub tipped-off Change Healthcare about the attack by posting a smattering of patient PHI and a few of the company’s internal files on the dark web. Keeping systems and software patched and up to date can prevent an unknown flaw like this one from being exploited. Doing regular system backups separate from the system lessens the threat from ransomware and can restore a business back to working order with minimum downtime.

Cyber-educating employees is a big part of staying out of ransomware’s way. In particular, email phishing is a hacker favorite and also the way 91% of all cyberattacks begin. A cyber-smart employee can stop an attack before it starts.

There are numerous organizations that can provide employee education these days. If you’re in charge of your organization’s data, take the time to determine the best option for you. It might be to hire someone to provide it within the organization, but it may also mean finding a company to provide it for you. Just remember to do it on a regular basis, which means more than annually. As we’ve come to know, threats continue to change all the time. One and done just isn’t healthy.

Although Change Healthcare experienced this attack and paid a hefty ransom, by now we know those whose PHI was stolen pay the ultimate price. It’s hard to put a price tag on their valuable PHI being in the hands of ruthless criminals. Yes, the ransom was paid with the hope to get their data back. However, can criminals be trusted? That’s the question and it’s likely the answer is “No.”