WASHINGTON (KTVZ) — Senate Finance Committee Chairman Ron Wyden (D-Ore.) has sent a letter to Federal Trade Commission Chair Lina S. Khan and U.S. Securities and Exchange Commission Chairman Gary Gensler urging the agencies to hold UnitedHealth Group accountable for negligent cybersecurity practices that have caused significant harm to consumers, investors, the health care system and U.S. national security.
UHG announced on February 21 that the computer systems of its subsidiary, Change Healthcare, had been infected with ransomware. The company also disclosed that sensitive data, including information on military personnel and other U.S. government employees, may have been stolen.
As a result of cyber attacks, health care providers have lost pay, been forced into debt, self-funded, or even shut down. Patients have been unable to get prescriptions filled by pharmacies and have been denied treatment. Adversaries such as China and Russia could also use the stolen records to seriously damage U.S. national security.
“This incident and the damage it caused, like many other security breaches, was entirely preventable and is the direct result of corporate negligence,” Wyden wrote. “UHG has publicly acknowledged that the hackers gained an initial foothold by logging into a remote access server that was not protected by multi-factor authentication (MFA), an industry-standard cyber defense that protects systems from hackers who guess or steal valid usernames and passwords for those systems.”
“The cyberattack against UHG could have been prevented if UHG had followed industry best practices. UHG's failure to follow best practices, and the resulting harm, are the responsibility of the company's senior executives, including UHG's CEO and board of directors,” Wyden continued. “We therefore urge the FTC and SEC to investigate UHG's numerous cybersecurity and technology failures, determine whether they violated the federal laws under their jurisdiction, and hold these senior executives accountable, as appropriate.”
The SEC set a major precedent by holding SolarWinds' chief information security officer responsible for the company's cybersecurity failings in 2023. In contrast, Wyden urged regulators not to scapegoat UHG's cybersecurity chief, who did not hold a full-time cybersecurity position prior to being promoted to UHG's cybersecurity chief. Instead, Wyden called on regulators to hold the company's CEO and board of directors accountable.
UHG CEO Andrew Whitty testified before the Senate Finance Committee on May 1, revealing that the company did not have MFA, a basic cyber defense, in place at the time of the cyberattack. The FTC has previously punished companies for not protecting their systems with MFA, including alcohol delivery platform Drizly and education technology company Chegg.
A copy of the letter can be found here.
