UnitedHealth’s ‘negligent’ cybersecurity needs FTC, SEC scrutiny, Wyden says

By Eleanor Laise

Agencies should investigate ‘completely preventable’ attack that harmed consumers and investors, lawmaker says

Senate Finance Committee chair Ron Wyden on Thursday called on the Federal Trade Commission and Securities and Exchange Commission to investigate UnitedHealth Group’s “negligent cybersecurity practices” in light of the cyberattack on the company’s Change Healthcare unit.

The hack “caused substantial harm to consumers, investors, the health care industry, and U.S. national security,” Wyden, an Oregon Democrat, said in a letter to FTC chair Lina Khan and SEC chair Gary Gensler. UnitedHealth, its senior executives and board of directors “must be held accountable,” Wyden wrote.

Asked for comment on the letter, UnitedHealth said in a statement, “we look forward to working with policymakers and other stakeholders in helping develop strong, practical solutions” to strengthen cyber defenses. “The fact that the company moved quickly and effectively in response to this attack is testament to our company’s commitment to strong cybersecurity,” UnitedHealth said.

Gensler “will respond to members of Congress directly,” an SEC spokesperson told MarketWatch. The FTC did not immediately respond to a request for comment on Wyden’s request.

The attack on Change, a major healthcare-claims clearinghouse, started in February and is considered the biggest cybersecurity disruption to healthcare in U.S. history. Hackers first gained entry to Change’s systems through a portal that was not protected by multi-factor authentication, UnitedHealth CEO Andrew Witty told lawmakers at a hearing earlier this month.

Calling the incident “completely preventable,” Wyden noted in the letter that the FTC has required companies in other industries to implement multi-factor authentication, a standard cybersecurity measure.

Wyden also said in the letter that UnitedHealth’s board-level oversight had likely failed because “none of the board members have any meaningful cybersecurity expertise.” UnitedHealth said in the statement Thursday that members of its audit and finance committees “have experience with cybersecurity and in leading organizations operating in industries facing significant cybersecurity risks.”

“Patients have been directly harmed” by the cyber disruption, Wyden wrote in the letter Thursday, as some people could not collect prescriptions from pharmacies and some providers cut hours or closed altogether to manage the outage.

Sensitive health data may have also been stolen, Wyden wrote. UnitedHealth said in late April that exposed files contained protected health data or personally identifiable information “which could cover a substantial proportion of people in America.” The company said it would offer free credit monitoring and identify theft protections to anyone impacted.

The significant costs and negative headlines related to the attack have also harmed investors, Wyden wrote. The SEC has previously made clear, he said, that cybersecurity practices are important to every publicly traded company.

On Wednesday, UnitedHealth shares fell sharply after company executives at an investor conference discussed the Change hack affecting their visibility into patients’ utilization of healthcare services, along with headwinds in its Medicaid business and other issues.

UnitedHealth’s stock (UNH) fell 0.8% Thursday morning and has dropped 8.7% in the year to date, while the S&P 500 SPX has gained 10%.

-Eleanor Laise

This content was created by MarketWatch, which is operated by Dow Jones & Co. MarketWatch is published independently from Dow Jones Newswires and The Wall Street Journal.

(END) Dow Jones Newswires

05-30-24 1054ET

Copyright (c) 2024 Dow Jones & Company, Inc.