The chairman of the Senate Finance Committee is pushing for two federal agencies to investigate the Minnetonka-based UnitedHealth Group subsidiary Change Healthcare over IT security issues, as he continues to press the company over a massive cyberattack earlier this year.
Democratic Senator Ron Wyden of Oregon has called for an investigation by the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) after UnitedHealth Group (UHG) CEO Andrew Whitty testified on May 1 that hackers accessed a portal that did not have multi-factor authentication protections.
“This incident and the harm it caused, like so many other security breaches, was entirely preventable and is the direct result of corporate negligence,” Wyden wrote to officials on May 30.
“UHG has publicly acknowledged that the hackers gained an initial foothold by logging into a remote access server that was not protected by multi-factor authentication (MFA),” he wrote. “MFA is an industry-standard cyber defense that protects systems from hackers who guess or steal valid usernames and passwords for those systems.”
The hack, which occurred in February, caused significant disruption to claims processing systems at pharmacies and medical facilities across the country.
The company defended its response to the incident, citing industry-wide challenges with cybersecurity.
“The vicious criminal attack on Change Healthcare, as well as other recent cyberattacks on health systems, underscore the need to strengthen cyber defenses and improve resilience, and we look forward to working with policymakers and other stakeholders to help develop strong, practical solutions,” UnitedHealth Group said in a statement. “The fact that we responded quickly and effectively to this attack is a testament to our commitment to strong cybersecurity.”
UnitedHealth Group is Minnesota's largest company by revenue and the fourth-largest in the United States by that measure. Its UnitedHealthcare division is the nation's largest health insurer.
Although final estimates have not yet been released, the company has said the breach potentially touches the personal information of one in three Americans. More than 20 lawsuits have been filed against UnitedHealth Group so far as a result of the breach.
In his letter, Wyden called on federal agencies to hold UnitedHealth Group's CEO and board of directors accountable for the problems.
The senators wrote that it was “unfair to scapegoat” the company's chief cybersecurity officer, Steven Martin, because he “has never held a full-time cybersecurity position.” The company said Martin “is a respected leader within the cybersecurity community and [chief information security officer] During my 30+ year career, I have worked in operations in a variety of roles.”
UnitedHealth Group also took issue with comments in Wyden's letter that the company's board lacks sufficient expertise on cybersecurity issues.
UnitedHealth Group added that Change Healthcare's systems are being rebuilt and restored and that the majority of claims from providers are currently being processed.
But Wyden said the size and scope of Change Healthcare's restructuring effort suggests there are other issues worth investigating.
“Even if a hacker gains access to a single remote access server, it is unlikely that it would result in a ransomware infection severe enough to require a company to completely rebuild its digital infrastructure,” Wyden wrote.
“UHG has not disclosed how the hacker gained administrative privileges and moved laterally from the first server to the rest of the company's technology infrastructure,” he added, “but cybersecurity best practice is to have multiple lines of defense and wall off the most sensitive servers within an organization, especially to prevent this type of incident.”