Senator calls for federal probes of UnitedHealth for negligent cyber practices
Sen. Ron Wyden, D-Ore., asked leaders of the Federal Trade Commission and Securities and Exchange Commission to investigate UnitedHealth for faulty cybersecurity practices that led to a major hack of the healthcare giant’s Change Healthcare unit earlier this year, his office said Thursday.
The Feb. 21 cyberattack against Change — one of the largest healthcare processing systems in America — was claimed by the ALPHV/Blackcat ransomware gang. Among several reverberations, the incident caused delayed prescription fillings and cash crunches at rural clinics and hospitals.
The company made a $22 million ransom payment, a decision ultimately made by UnitedHealth CEO Andrew Witty. Not all stolen data, which may have included sensitive health information on U.S. military personnel, has been recovered, Witty testified in an early May hearing, noting that about a third of Americans may have been affected in the incident.
The hackers used stolen credentials and broke into a Change Healthcare server that was not protected by multifactor authentication, a digital method which validates whether a user is fraudulently impersonating someone else when logging into a platform.
“The cyberattack against UHG could have been prevented had UHG followed industry best practices. UHG’s failure to follow those best practices, and the harm that resulted, is the responsibility of the company’s senior officials including UHG’s CEO and board of directors,” Wyden said in the missive addressed to SEC Chairman Gary Gensler and FTC Chairwoman Lina Khan.
“Accordingly, I urge the FTC and SEC to investigate UHG’s numerous cybersecurity and technology failures, to determine if any federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable,” it added.
The hack had massive cascading effects in what was arguably the largest cyberattack on the U.S. healthcare industry to date. Some 36% of respondents to an American Medical Association survey conducted between March 26 and April 3 experienced claim payments suspensions, while 32% said they were unable to submit claims altogether.
Financial regulators are not new to cybersecurity investigations. An SEC case against SolarWinds, which was the subject of a major 2020 hack that targeted multiple federal institutions, alleged the company’s CISO enabled internal control failures that misled investors about the security posture of the IT provider’s systems.
A 2021 update to the FTC’s Safeguards Rule required financial services companies regulated by the consumer protection agency to adopt multifactor authentication. Relatedly, digital health services that store sensitive personal health information will be required to notify their users of data breaches under new FTC enforcement rules that take effect later this summer.
The criticality of the healthcare sector has made it a popular target for ransomware attacks. A separate hack into Ascension’s healthcare network earlier this month has crippled multiple hospitals’ operations over the past several weeks, forcing ambulances to divert as staff take IT systems offline, according to reports.