On the heels of the massively disruptive Change Healthcare ransomware attack earlier this year, Sen. Ron Wyden (D-Ore.) is calling on the SEC and FTC to investigate the “negligent cybersecurity practices” of parent company UnitedHealth Group.
The question of accountability has emerged in the months after the February ransomware attack that led to disruptions in patient care and delays in prescription orders across the country, as well as the compromise of the health and personally identifiable data of an estimated one-third of Americans. In his letter to FTC Chair Lina Khan and SEC Chair Gary Gensler on Thursday, Wyden said that UnitedHealth, its senior executives and its board of directors should all be held responsible.
“The cyberattack against UHG could have been prevented had UHG followed industry best practices,” according to Wyden’s letter. “UHG’s failure to follow those best practices, and the harm that resulted, is the responsibility of the company’s senior officials including UHG’s CEO and board of directors. Accordingly, I urge the FTC and SEC to investigate UHG’s numerous cybersecurity and technology failures, to determine if any federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable.”
One security gap on Change Healthcare’s end that helped actors achieve initial access was the failure to enable multi-factor authentication (MFA) on a Citrix remote access portal account. Threat actors behind the attack were able to access this account, which didn’t have MFA, through compromised credentials. In government hearings earlier in May, UnitedHealth Group CEO Andrew Witty presented varying, conflicting statements about the company’s MFA policy. Witty first said the company’s policy was to have MFA for externally facing systems, but that the policy had not been in place at the time of the hack, and later said that the MFA policy was not all-encompassing for external servers, and instead included exceptions for older technology that had been upgraded.
Beyond the lack of MFA, however, Wyden said that security best practices should rely on multiple lines of defense, and it’s still unclear how threat actors achieved administrative privileges and lateral movement after gaining initial access.
“Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch,” said Wyden. “In addition to the company’s cybersecurity failures, the company also clearly failed to plan for ransomware and to ensure that its digital infrastructure could be promptly restored in hours or days, rather than weeks.”
“In addition to the company’s cybersecurity failures, the company also clearly failed to plan for ransomware and to ensure that its digital infrastructure could be promptly restored in hours or days, rather than weeks.”
Wyden also pointed to a lack of expertise and understanding of cybersecurity from UnitedHealth’s senior executives and board members. While many boards of directors today are trying to better understand issues like risk assessment and security strategy, by creating dedicated security committees or adding members with security expertise, none of UnitedHealth’s board members have “any meaningful cybersecurity expertise,” said Wyden. At the same time, said Wyden, UnitedHealth’s CISO Steven Martin had not previously held a full-time security role, instead working in various technology jobs at UnitedHealth and Change before he landed the CISO role in June 2023.
However, “due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses,” said Wyden. “Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses.”
UnitedHealth is already under investigation by the Department of Health and Human Services’ Office for Civil Rights, which in March announced it was looking at whether protected health information was compromised in the ransomware attack.
The FTC and SEC have previously been involved with security investigations across various industries. The FTC, which requires financial services companies to adopt MFA under its Safeguards Rule, has previously ordered companies like alcohol marketplace platform Drizly and education tech company Chegg to take specific security actions after security failures at these companies led to breaches. The SEC, meanwhile, has taken the approach of looking at how organizational security gaps impact investors. In 2023, for instance, the SEC filed a lawsuit against SolarWinds and its CISO after the 2020 SolarWinds attacks, alleging that they made false statements to investors about the company’s security risks and vulnerabilities.
When asked for comment, UnitedHealth Group said: "The malicious criminal attack on Change Healthcare – as well as other recent cyberattacks on the health system – underscores the need to fortify cyber defenses and strengthen resilience, and we look forward to working with policymakers and other stakeholders in helping develop strong, practical solutions."
"The fact that the company moved quickly and effectively in response to this attack is testament to our company’s commitment to strong cybersecurity. UnitedHealth Group has an experienced board with effective, broad-based skills in risk management, including cybersecurity," according to UnitedHealth Group. "Members of the Audit and Finance Committee, which oversees the company’s cybersecurity program, have experience with cybersecurity and in leading organizations operating in industries facing significant cybersecurity risks."
An SEC spokesperson said that Gensler will respond to members of Congress directly. An FTC spokesperson, meanwhile, said that the FTC received the letter but did not have any comment.
Article Link: Wyden: SEC, FTC Should Investigate UnitedHealth’s ‘Negligent’ Security Practices | Decipher