Fraud Management & Cybercrime , Healthcare , Industry Specific
Senator Urges FTC, SEC to Investigate UHG's Cyberattack
Asks Agencies Not to 'Scapegoat' Firm's CISO, But to Hold CEO and Board AccountableU.S. Sen. Ron Wyden, D-Ore., is urging the U.S. Securities and Exchange Commission and the Federal Trade Commission to open investigations into the February cyberattack on UnitedHealth Group's Change Healthcare unit and asking the agencies to hold the company's CEO and board responsible.
See Also: Identity Security Trailblazers - Health First
In a letter to the SEC and FTC on Thursday, Wyden - who is chair of the Senate Finance Committee - urged the agencies to scrutinize UnitedHealth Group's "negligent cybersecurity practices" and said the attack on Change Healthcare "caused substantial harm to consumers, investors, the healthcare industry and U.S. national security."
"The company, its senior executives and board of directors must be held accountable," Wyden said.
Wyden also advised the agencies to focus their attention on UnitedHealth Group CEO Andrew Witty and the company's board of directors and hold them ultimately responsible for the cybersecurity failures that contributed to the incident - and not UnitedHealth Group CISO Steven Martin.
Martin had not worked full-time in a cybersecurity role before he was elevated to the top cybersecurity post at UHG in June, 2023, after holding positions at UHG and Change Healthcare, Wyden said.
"One likely reason for UHG's negligence, and the company's failure to adopt industry-standard cyber defenses, is that the company's top cybersecurity official appears to be unqualified for the job," Wyden said.
Although Martin has decades of experience in technology jobs, "cybersecurity is a specialized field, requiring specific expertise," Wyden said.
"Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest healthcare company in the world should not be someone’s first cybersecurity job," he said.
"Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG's cybersecurity lapses. Instead, UHG's CEO and the company's board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company's failure to adopt basic cyber defenses."
Witty testified before two congressional hearings on May 1 - one held by the Senate Finance Committee, which Wyden chairs, and the other by the House Energy and Commerce Committee's Oversight and Investigations Subcommittee (see: Lawmakers Grill UnitedHealth Group CEO on Change Healthcare Attack).
During those hearings, Witty testified that it was a UHG policy to use multifactor authentication for all externally facing systems, but in certain situations involving older technologies, there are other security controls as a compensatory factor.
"The consequences of UHG's apparent decision to waive its MFA policy for servers running older software are now painfully clear," Wyden said. "But UHG's leadership should have known, long before the incident, that this was a bad idea."
Wyden in his letter reminded the FTC that it has required companies in other industries to implement MFA, among other cybersecurity best practices, and that the FTC has specifically required financial services companies regulated by the agency to adopt MFA as part of the 2021 update to the Safeguards Rule.
The FTC has also required several companies to use phishing-resistant MFA in two 2022 cases, against the alcohol delivery platform Drizly and the education technology company Chegg, Wyden said.
"In both cases, the FTC held that the companies' failure to use appropriate information security practices to protect consumers' personal information was an unfair business practice that violated Section 5 of the FTC Act."
UnitedHealth Group's Witty testified at the hearings that the incident potentially affected about one-third of the U.S. population but so far, the company has not publicly reported a data breach.
"The malicious criminal attack on Change Healthcare - as well as other recent cyberattacks on the health system - underscores the need to fortify cyber defenses and strengthen resilience," UnitedHealth Group said in a statement to Information Security Media Group on Friday.
"We look forward to working with policymakers and other stakeholders in helping develop strong, practical solutions. The fact that the company moved quickly and effectively in response to this attack is testament to our company's commitment to strong cybersecurity," the statement said.
"UnitedHealth Group has an experienced board with effective, broad-based skills in risk management, including cybersecurity. Members of the Audit and Finance Committee, which oversees the company's cybersecurity program, have experience with cybersecurity and in leading organizations operating in industries facing significant cybersecurity risks."
An FTC spokeswoman confirmed that agency received Wyden's letter but declined ISMG's request for further comment.
The SEC did not immediately respond to ISMG's request for comment on Wyden's letter.