I really don't understand how this level of consolidation has been allowed in the healthcare market. I was affected by this, couldn't get prescriptions filled for 4 days. Turns out I'm not alone -- 100m people? That's 1/3rd of America's population!
There is no competition in the marketplace. We need to either nationalize them or break them up. These ransomware groups are small-time compared to a nation-state adversary in wartime. At this point it's a national security issue.
This is one of those companies that has middleware or back office apps that are common to many health care providers. Many different markets have their own unique apps or places where data can accumulate. I remember when paper checks were still used, a small number of companies existed to receive and catalog checks and update the accounts accordingly. I visited some, and they looked like they were spun off from bank(s) to unload the cost of what was going to be a disappearing operation. Really bare bones, disarray, and access to a lot of interesting data. Another app I found interesting was for closing mortgages. There aren't many of those, and the ones that did exist were in a lot of places and were a complete shambles, data everywhere, written in early 2000's.
"Change Healthcare Inc. (known as Emdeon before rebranding in 2015, which followed its acquisition of Change Healthcare) is a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system. The name also refers to a company founded in 2007 which subsequently became part of the current conglomerate." https://en.wikipedia.org/wiki/Change_Healthcare
Part of the neoliberal consensus that replaced progressive liberalism in the 1970s and 80s is a revisionist reframing of antitrust law in which all monopolies are judged solely by the yardstick of consumer welfare. Problem is, very few monopolies actually harm consumer welfare. Bigger businesses are able to deliver lower prices - at least initially - because they suck the redundancy out of the market. Ergo, consolidation is good actually and antitrust is self-defeating.
Of course, those prices will creep up eventually, once the causal link between the consolidation and the market power has been sufficiently obscured. Look at "inflation" - every business was able to blame "supply chain issues" (that they caused by removing redundancies) during COVID to extract unthinkable price increases out of the public. Because every business has only two or three real competitors, all of whom have extreme levels of class discipline and will agree to lie their asses off to the public.
This level of consolidation was allowed because your politicians stabbed you in the back in the name of the """free""" market.
> Look at "inflation" - every business was able to blame "supply chain issues" (that they caused by removing redundancies) during COVID to extract unthinkable price increases out of the public.
Are you implying there were no supply chain difficulties? China wasn't under heavy lockdown for months on end? There weren't ports with months of backlog? Factories weren't closed due to lockdowns or outbreaks all around the world? That civilian aviation ground to almost a complete halt for a few months, and the cargo it used to carry now didn't need to find an alternative route?
Anyone trying to pin a singular reason for the inflation spikes after Covid is at best misinformed and arguing in bad faith. Covid wrecked supply chains, Russia's invasion of Ukraine wrecked a number of important raw materials' markets (oil, gas, nickel, grain, etc), the Houthis' shenanigans impacted the Suez Canal, droughts impacted the Panama canal. Sprinkle a heavy dose corporate greed and voilà, inflation.
> The biggest perpetrators were energy companies like Shell, Exxon Mobil, and Chevron, which were able to enjoy massive profits last year as demand moved away from Russian oil and gas.
> Food producers including Kraft Heinz realized their own profit surges. The war in Ukraine rocked global grain supplies and fertilizer prices, significantly increasing the cost of food, which remains sticky.
Funny, in both cases external causes made the global prices go up, so specific companies used the opportunity to increase their prices because there was less competition on the market.
headline: "many of them were lying to you about inflation"
actual article:
>A joint study by think tanks IPPR and Common Wealth found profiteering by some of the world’s biggest companies forced prices up significantly higher than costs during 2022.
>[...]
>While this obviously contributed to rising prices, the report finds that company profits increased at a much faster rate than costs did, in a process often dubbed “greedflation.”
The meat of the article is basically "profit margins went up". The same arguably happened for software engineers. By the same logic, there should be headlines of "The biggest study of ‘greedflation’ yet looked at 1,300 software engineers to find many of them were lying to you about inflation".
Imagine you own a grocery store in a small town. The only one, in fact, and the nearest competitor is a 30 minute drive.
You, being a free market enthusiast, decide to test how much the market will bear, and raise your prices across the board.
Your customers, who are also your neighbors and friends, respond by socially ostracizing you.
This doesn’t exist at scale, because the people responsible for the unnecessary price hikes live far away from their customers, and do not intend to ever meet them, much less explain themselves.
People should price products to make a fair profit, one where both parties are satisfied. I don’t begrudge a car salesperson for selling me a car at above their cost, but I do if it’s wildly marked up.
I don’t have to imagine, I do it every day. I sell my services for the most amount of money I think I can get.
Of course, if I am selling services or goods with lots of repeat business, it might behoove me to not piss off the customers and hence incentivize me to keep my price lower (which is still optimizing for the most money I think I can get, just over the long term rather than short term). If I am selling land or a business, then I am maximizing for that specific transaction, even if my profit margin is 100,000%.
When you get a job offer, and you respond back with a request for an additional $20k per year or whatever, that is doing the same thing.
> make a fair profit
What is fair is an opinion. For people living in huts, a 1,000 sq ft Soviet style apartment bloc with plumbing is unfair. And for people living in Soviet style apartment blocs, a modern 5 over 1 apartment building is unfair. And then you might find a detached single family home unfair. And then you might find a 3k sq ft home unfair.
> Are you implying there were no supply chain difficulties? China wasn't under heavy lockdown for months on end?
I think they were more stating that consolidation, which often results in a reduction in redundancies in the system, made the supply chain issues worse than they otherwise would have been. Consolidation can increase the instances of single points of failure.
For a smaller scale example: in 2016 flooding took a biscuit factory out of action for a time, and suddenly you couldn't get bourbon biscuits (and a few other varieties) anywhere. It turns out that all the UK supermarkets (except Sainsbury IIRC) and some big-name brands were supplied by that one factory¹, so they all had a stoppage of supply at the same time, and those being supplied from elsewhere were out of stock too because the remaining smaller supplies could not ramp up production to meet the new demand². The consolidation that brings more efficiency when all is well can make things worse when something goes wrong.
----
[1] This also lead to “I told you so” comments from some of us, to people who were suddenly asking “if the ones I buy come from the same place, exactly the same production line, why have I been paying 25p/pack more for them?”.
[2] And even if they could, it would have been a bad business decision because once that big factory was back online the market wouldn't bare the new excess of supply meaning prices would drop, potentially below cost where margins are tight.
First it would have to be proven that data is leaked. Each proven leak is worth $50k. Mass leak is a compromise of data security. And that comes under a different classification.
It does, actually. There are four tiers [0], with unknowing violation at the bottom, followed by reasonable cause. Personally I’d place this at least at the reasonable cause tier.
My kid had their first data breach at 2 months old due to a healthcare company we've never heard of having their data and losing it to hackers. This whole industry needs to be burned to the ground.
> At what point can we sue, especially if basic security practices like 2FA are not enabled?
And if they are enabled ? Do you think this will make any difference ?
We have, at work (Microsoft) 2FA enabled with Windows Hello. At setup it wanted to set a numeric pin. That's all. It asks from time to time about the second factor (Microsoft Authenticator) and that's all.
I always wonder that maybe someone can convince these health companies, clinics, etc... to start using Qubes OS for their network connected office computers. Maybe that could prevent a sizeable number of these ransomware attacks?
TLDR Qubes OS is a security focused operating system that is geared towards end users. It relies on isolation via the Xen hypervisor (has much less privileged code than Linux, Windows, or Mac kernels), and uses hardware based virtualization features of the CPU as well. E.g. it prevents a compromised network card from accessing the memory of a trusted virtual machine through DMA attacks as an example
And ultimately it incorporates this isolation into a seamless user interface as well
I'm guessing the primary feature that would protect against ransomware is that it allows on to open suspicious links in disposable VMs
With the move of most enterprise software to web interfaces, this could be realistic for some organisation. Others, especially in healthcare, will have odd legacy thick clients developed in obscure languages decades ago that nobody wants to port.
Not sure using a different OS helps the issue, if not making it worse --
* These days hackers have a lot of resources and are often nation state actors. They utilize 0 day vulnerabilities. I don't see how an obscure OS will do any better than mainstream OS in terms of detecting and responding to exploits
* Many hacks actually start with social engineering, and human becomes the weakest point (well, in some sense, it always has been)
* Users, most of which are not computer experts, could make more mistakes when they are faced with software/interfaces they are not familiar with. (I'm just making this up, happy to see data that says otherwise.) "Open suspicious links in disposable VMs"? Sure, if they have received enough training and can do it perfectly, every single time, and never confuse the VM and the host environment. I'd say "never open suspicious links, forward the email to IT to help with you if needed", or even, just filtering untrusted domains in the email, is a much simpler and effective approach.
I expect you could mitigate 9 out of 10 breeches by staff not giving out their teams shared admin password (which is password123) over the phone to someone who says they are Jim from the CEOs office who needs to check some numbers for the big presentation tomorrow.
Less privileged code would mean less zero day exploits. Qubes relies on an order of magnitude less privileged code than Linux, and I believe Xen has had far fewer escalation of privilege exploits than Linux kernel
"Open suspicious links in disposable VMs" change that to "Open all links using the appropriate process"
Think how many companies have been found to have world-accessible S3 buckets. And you think they’re capable of administering Linux, let alone a niche OS like Qubes?
> UnitedHealth says data of 100M stolen in Change Healthcare hack
"Privacy matters to Change Healthcare, so we follow a privacy framework that helps us to manage and protect your personal information in the products and services we provide."
Definitely: all the other text in that image is AI-garbled. You can also tell, because the company name is not correctly stylized, nor is the correct font used, nor is their logo visible here. This is just a 100% fake AI building with some low-effort text slapped on afterwards.
Why did they not actually bother to use a photograph of UHC's building? What did you expect from a site called "bleepingcomputer dot com"?
I really don't understand how this level of consolidation has been allowed in the healthcare market. I was affected by this, couldn't get prescriptions filled for 4 days. Turns out I'm not alone -- 100m people? That's 1/3rd of America's population!
There is no competition in the marketplace. We need to either nationalize them or break them up. These ransomware groups are small-time compared to a nation-state adversary in wartime. At this point it's a national security issue.
This is one of those companies that has middleware or back office apps that are common to many health care providers. Many different markets have their own unique apps or places where data can accumulate. I remember when paper checks were still used, a small number of companies existed to receive and catalog checks and update the accounts accordingly. I visited some, and they looked like they were spun off from bank(s) to unload the cost of what was going to be a disappearing operation. Really bare bones, disarray, and access to a lot of interesting data. Another app I found interesting was for closing mortgages. There aren't many of those, and the ones that did exist were in a lot of places and were a complete shambles, data everywhere, written in early 2000's.
"Change Healthcare Inc. (known as Emdeon before rebranding in 2015, which followed its acquisition of Change Healthcare) is a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system. The name also refers to a company founded in 2007 which subsequently became part of the current conglomerate." https://en.wikipedia.org/wiki/Change_Healthcare
Part of the neoliberal consensus that replaced progressive liberalism in the 1970s and 80s is a revisionist reframing of antitrust law in which all monopolies are judged solely by the yardstick of consumer welfare. Problem is, very few monopolies actually harm consumer welfare. Bigger businesses are able to deliver lower prices - at least initially - because they suck the redundancy out of the market. Ergo, consolidation is good actually and antitrust is self-defeating.
Of course, those prices will creep up eventually, once the causal link between the consolidation and the market power has been sufficiently obscured. Look at "inflation" - every business was able to blame "supply chain issues" (that they caused by removing redundancies) during COVID to extract unthinkable price increases out of the public. Because every business has only two or three real competitors, all of whom have extreme levels of class discipline and will agree to lie their asses off to the public.
This level of consolidation was allowed because your politicians stabbed you in the back in the name of the """free""" market.
> Look at "inflation" - every business was able to blame "supply chain issues" (that they caused by removing redundancies) during COVID to extract unthinkable price increases out of the public.
Are you implying there were no supply chain difficulties? China wasn't under heavy lockdown for months on end? There weren't ports with months of backlog? Factories weren't closed due to lockdowns or outbreaks all around the world? That civilian aviation ground to almost a complete halt for a few months, and the cargo it used to carry now didn't need to find an alternative route?
Anyone trying to pin a singular reason for the inflation spikes after Covid is at best misinformed and arguing in bad faith. Covid wrecked supply chains, Russia's invasion of Ukraine wrecked a number of important raw materials' markets (oil, gas, nickel, grain, etc), the Houthis' shenanigans impacted the Suez Canal, droughts impacted the Panama canal. Sprinkle a heavy dose corporate greed and voilà, inflation.
"The biggest study of ‘greedflation’ yet looked at 1,300 corporations to find many of them were lying to you about inflation" – https://fortune.com/europe/2023/12/08/greedflation-study/
> The biggest perpetrators were energy companies like Shell, Exxon Mobil, and Chevron, which were able to enjoy massive profits last year as demand moved away from Russian oil and gas.
> Food producers including Kraft Heinz realized their own profit surges. The war in Ukraine rocked global grain supplies and fertilizer prices, significantly increasing the cost of food, which remains sticky.
Funny, in both cases external causes made the global prices go up, so specific companies used the opportunity to increase their prices because there was less competition on the market.
headline: "many of them were lying to you about inflation"
actual article:
>A joint study by think tanks IPPR and Common Wealth found profiteering by some of the world’s biggest companies forced prices up significantly higher than costs during 2022.
>[...]
>While this obviously contributed to rising prices, the report finds that company profits increased at a much faster rate than costs did, in a process often dubbed “greedflation.”
Where's the "lying"?
Doesn’t everyone sell at the highest price they can, without regard for their COGS?
I don’t break out my household expenses when I negotiate pay at a new employer.
The meat of the article is basically "profit margins went up". The same arguably happened for software engineers. By the same logic, there should be headlines of "The biggest study of ‘greedflation’ yet looked at 1,300 software engineers to find many of them were lying to you about inflation".
Imagine you own a grocery store in a small town. The only one, in fact, and the nearest competitor is a 30 minute drive.
You, being a free market enthusiast, decide to test how much the market will bear, and raise your prices across the board.
Your customers, who are also your neighbors and friends, respond by socially ostracizing you.
This doesn’t exist at scale, because the people responsible for the unnecessary price hikes live far away from their customers, and do not intend to ever meet them, much less explain themselves.
People should price products to make a fair profit, one where both parties are satisfied. I don’t begrudge a car salesperson for selling me a car at above their cost, but I do if it’s wildly marked up.
I don’t have to imagine, I do it every day. I sell my services for the most amount of money I think I can get.
Of course, if I am selling services or goods with lots of repeat business, it might behoove me to not piss off the customers and hence incentivize me to keep my price lower (which is still optimizing for the most money I think I can get, just over the long term rather than short term). If I am selling land or a business, then I am maximizing for that specific transaction, even if my profit margin is 100,000%.
When you get a job offer, and you respond back with a request for an additional $20k per year or whatever, that is doing the same thing.
> make a fair profit
What is fair is an opinion. For people living in huts, a 1,000 sq ft Soviet style apartment bloc with plumbing is unfair. And for people living in Soviet style apartment blocs, a modern 5 over 1 apartment building is unfair. And then you might find a detached single family home unfair. And then you might find a 3k sq ft home unfair.
And so on and so forth.
> Are you implying there were no supply chain difficulties? China wasn't under heavy lockdown for months on end?
I think they were more stating that consolidation, which often results in a reduction in redundancies in the system, made the supply chain issues worse than they otherwise would have been. Consolidation can increase the instances of single points of failure.
For a smaller scale example: in 2016 flooding took a biscuit factory out of action for a time, and suddenly you couldn't get bourbon biscuits (and a few other varieties) anywhere. It turns out that all the UK supermarkets (except Sainsbury IIRC) and some big-name brands were supplied by that one factory¹, so they all had a stoppage of supply at the same time, and those being supplied from elsewhere were out of stock too because the remaining smaller supplies could not ramp up production to meet the new demand². The consolidation that brings more efficiency when all is well can make things worse when something goes wrong.
----
[1] This also lead to “I told you so” comments from some of us, to people who were suddenly asking “if the ones I buy come from the same place, exactly the same production line, why have I been paying 25p/pack more for them?”.
[2] And even if they could, it would have been a bad business decision because once that big factory was back online the market wouldn't bare the new excess of supply meaning prices would drop, potentially below cost where margins are tight.
There is competition in the marketplace, see Waystar and Availity.
They protect themselves by being publicly traded. Stop whining and start investing.
So would this count as 1 instance or 100M instances of HIPAA violations? Last I checked the penalty is $50k per violation...
Seriously. From what I've learned United needs the axe more than many corporations. Somewhere below Nestle, but above BP maybe?
It’s *up to* 50k per violation. Like most large scale violations of anything, it’s effectively “we’ll fine whatever we want”.
First it would have to be proven that data is leaked. Each proven leak is worth $50k. Mass leak is a compromise of data security. And that comes under a different classification.
Does getting data stolen through no fault of your own count as a HIPPA violation? If negligent security counts, what's the bar?
It does, actually. There are four tiers [0], with unknowing violation at the bottom, followed by reasonable cause. Personally I’d place this at least at the reasonable cause tier.
[0]: https://www.ama-assn.org/practice-management/hipaa/hipaa-vio...
My kid had their first data breach at 2 months old due to a healthcare company we've never heard of having their data and losing it to hackers. This whole industry needs to be burned to the ground.
Are they obligated to notify specific customers? How can I know if my data was in the hack?
I got a mailer that states this.
At first, I didn't even know who Change was - they're well in the bowels of the stack.
Usual free credit monitoring etc.
At what point can we sue, especially if basic security practices like 2FA are not enabled?
> At what point can we sue, especially if basic security practices like 2FA are not enabled?
And if they are enabled ? Do you think this will make any difference ? We have, at work (Microsoft) 2FA enabled with Windows Hello. At setup it wanted to set a numeric pin. That's all. It asks from time to time about the second factor (Microsoft Authenticator) and that's all.
> an expected $2.45 billion
Am I reading that ransom payout correctly? Or are "losses" divided among other things?
I always wonder that maybe someone can convince these health companies, clinics, etc... to start using Qubes OS for their network connected office computers. Maybe that could prevent a sizeable number of these ransomware attacks?
TLDR Qubes OS is a security focused operating system that is geared towards end users. It relies on isolation via the Xen hypervisor (has much less privileged code than Linux, Windows, or Mac kernels), and uses hardware based virtualization features of the CPU as well. E.g. it prevents a compromised network card from accessing the memory of a trusted virtual machine through DMA attacks as an example
And ultimately it incorporates this isolation into a seamless user interface as well
I'm guessing the primary feature that would protect against ransomware is that it allows on to open suspicious links in disposable VMs
With the move of most enterprise software to web interfaces, this could be realistic for some organisation. Others, especially in healthcare, will have odd legacy thick clients developed in obscure languages decades ago that nobody wants to port.
Not sure using a different OS helps the issue, if not making it worse --
* These days hackers have a lot of resources and are often nation state actors. They utilize 0 day vulnerabilities. I don't see how an obscure OS will do any better than mainstream OS in terms of detecting and responding to exploits
* Many hacks actually start with social engineering, and human becomes the weakest point (well, in some sense, it always has been)
* Users, most of which are not computer experts, could make more mistakes when they are faced with software/interfaces they are not familiar with. (I'm just making this up, happy to see data that says otherwise.) "Open suspicious links in disposable VMs"? Sure, if they have received enough training and can do it perfectly, every single time, and never confuse the VM and the host environment. I'd say "never open suspicious links, forward the email to IT to help with you if needed", or even, just filtering untrusted domains in the email, is a much simpler and effective approach.
I expect you could mitigate 9 out of 10 breeches by staff not giving out their teams shared admin password (which is password123) over the phone to someone who says they are Jim from the CEOs office who needs to check some numbers for the big presentation tomorrow.
Less privileged code would mean less zero day exploits. Qubes relies on an order of magnitude less privileged code than Linux, and I believe Xen has had far fewer escalation of privilege exploits than Linux kernel
"Open suspicious links in disposable VMs" change that to "Open all links using the appropriate process"
But yeah, the social engineering though...
Think how many companies have been found to have world-accessible S3 buckets. And you think they’re capable of administering Linux, let alone a niche OS like Qubes?
True. I guess the root issue is often much more basic
Has there been any organisation to successfully roll this out, ever?
It’s great for security, but useless from a productivity standpoint.
[dead]
> UnitedHealth says data of 100M stolen in Change Healthcare hack
"Privacy matters to Change Healthcare, so we follow a privacy framework that helps us to manage and protect your personal information in the products and services we provide."
I guess this speaks for itself. /s
[flagged]
Definitely: all the other text in that image is AI-garbled. You can also tell, because the company name is not correctly stylized, nor is the correct font used, nor is their logo visible here. This is just a 100% fake AI building with some low-effort text slapped on afterwards.
Why did they not actually bother to use a photograph of UHC's building? What did you expect from a site called "bleepingcomputer dot com"?