UnitedHealth cybersecurity breach deserves federal probe – Sen. Wyden

Sen. Ron Wyden (D-Ore.), chairman of the Senate Finance Committee, has called on the FTC and SEC to investigate what he calls “negligent cybersecurity practices” that led to the February ransomware attack on UnitedHealth Group (NYSE:UNH).

The attack, on the company’s Change Healthcare unit, impacted its ability to pay providers. It was also reported that UnitedHealth paid a ransom of $22M to the hackers.

“This incident and the harm that it caused was, like so many other security breaches, completely preventable and the direct result of corporate negligence,” Wyden wrote in a May 30 letter to FTC Chair Lina Khan and SEC Chair Gary Gensler. “UHG has publicly confirmed that the hackers gained their initial foothold by logging into a remote access server that was not protected with multi-factor authentication.”

He noted that the FTC has required companies in other industries to require multi-factor authentication.

Wyden argued that UnitedHealth is likely guilty of other cybersecurity lapses. “Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch. UHG has not revealed how the hackers gained administrative privileges and moved laterally from that first server to the rest of the company’s technology infrastructure.”

The senator added that the company’s chief information security office, Steven Martin, is likely unqualified for the job as he had never held a full-time cybersecurity role before being tapped to lead cybersecurity in June 2023.

Wyden concluded by saying the cyberattack could have been prevented had UnitedHealth (UNH) followed cybersecurity best practices.

More on UnitedHealth