Sen. Ron Wyden (D-Ore.), a frequent critic of technology and digital privacy, blasted the CEO of UnitedHealth Group (UHG) for appointing a CISO that Wyden deemed “unqualified,” a decision he claims likely contributed to the recent ransomware debacle.
In letters to FTC Chairman Lina Khan and SEC Chairman Gary Gensler, Wyden sharply criticized UHG and implored regulators to investigate the health care company's numerous failings leading up to the ransomware attack that shut down services across the US.
One of the high-profile missteps, according to the senators, involved CISO Steven Martin, who was appointed by UHG in 2023. Wyden justified his position by pointing out that Martin had never held a security-specific role in his career, despite being highly experienced in other technology roles.
“While Martin has decades of experience working in technology, cybersecurity is an area of expertise requiring special expertise,” Wyden said in the letter. [PDF].
“Just as a heart surgeon should not be hired to perform brain surgery, being head of cybersecurity for the world's largest medical company should not be someone's first cybersecurity job.”
Martin was hired by UHG in 2020 as vice president of enterprise technology after serving as acting CEO at GE Digital. At GE, he also served as chief digital officer for GE Power and chief commercial officer for GE Digital, according to his profile on the Change Healthcare website.
Previously, Martin spent 14 years at Microsoft in a variety of roles including data science and customer acquisition, and moved to Redmond after many years in marketing roles in technology companies.
But not all the blame can be placed on Martin: Wyden said it's unfair to pin all of the blame for the company's security failings on the CISO, and that blame should instead fall on CEO Andrew Whitty and the board for putting Martin in the position in the first place.
Upskilling has long been hailed as one promising solution to the cybersecurity industry’s skills shortage, but it’s probably not something you can rely on at the highest levels.
In addition to pointing out the hiring gaffes, Wyden also highlighted the lack of MFA on the remote access server ALPHV used to initially gain access to its network — a point that has been the focus of many critics since Whitty revealed it at a May 1 Senate Finance Committee hearing, with many considering it a weapons-grade lapse.
One such critic is Tom Kellerman, senior vice president of cyber strategy at Contrast Security, who previously said: Registry“I'm astounded that they didn't use multi-factor authentication. I'm astounded that they didn't segment their networks. I'm astounded that they didn't do robust threat hunting on that environment when they knew it was compromised. Frankly, I think that's egregious negligence.”
Wyden further noted that even if MFA had not been deployed across UHG's entire IT estate, it probably wouldn't have been the reason the organization went from being a target for cybercriminals to being hit by ransomware.
“Hackers gaining access to a single remote access server should not result in a ransomware infection so severe that it forces a company to completely rebuild its digital infrastructure,” the senators wrote.
“UHG has not disclosed how the hacker gained administrative privileges and moved laterally from the first server to the rest of the company's technology infrastructure. However, cybersecurity best practices, especially to prevent this type of incident, include having multiple lines of defense and isolating the most sensitive servers within an organization.”
In calling for a thorough regulatory investigation, Wyden cited two previous cases that led to sanctions against companies found to have had lax approaches to data security.
The FTC's 2022 lawsuits against Drizly and Chegg were used as examples of cases where companies make mistakes and customers end up paying the price later. In both cases, the number of Americans affected was significantly smaller than the number affected by the UHG incident.
Alcohol delivery platform Drizly's CEO's “carelessness” led to the personal information of 2.5 million people being exposed, while four blunders at education technology giant Chegg affected 40 million people.
But according to Senator Whitty's testimony, the Change Healthcare ransomware incident may have affected roughly one-third of all Americans.
“The cyberattack against UHG could have been prevented if UHG had followed industry best practices,” Wyden concluded his infuriating letter and scathing rebuke. “UHG's failure to follow best practices, and the resulting damage, are the responsibility of UHG's senior executives, including its CEO and board of directors.”
“Therefore, I urge the FTC and SEC to investigate UHG's numerous cybersecurity and technology failures, determine whether it violated any federal laws under its jurisdiction, and hold these senior officials accountable as appropriate.”®