In a letter to federal regulators, Senator Ron Wyden highlighted the recent cyberattack on Change Healthcare, a UHG subsidiary, claiming it was a result of negligent practices, and calling for an investigation into the company’s cybersecurity protocols. Wyden has criticized UnitedHealth Group (UHG) for appointing what he views as an underqualified Chief Information Security Officer (CISO), linking this decision to significant cybersecurity lapses.
Wyden’s letter highlights what he believes are the lasting negative repercussions for the public due to poor decision-making by UHG’s leadership, drawing parallels with the infamous SolarWinds breach. He emphasizes the urgent need for holding UHG’s senior executives accountable for failing to adopt industry-standard cybersecurity measures, which has endangered consumers, investors, and national security.
Why it matters: Given the highly sensitive nature of the data that healthcare organizations manage, implementing rigorous and comprehensive cybersecurity measures is paramount to safeguarding personal and medical information from today’s cyber threats. Senator Wyden’s claims about the lack of effective cybersecurity protocols at UHG have highlighted potential issues in how the healthcare industry approaches corporate governance and risk management.
- Criticism of CISO Appointment: Wyden criticized UHG’s decision to appoint Steven Martin, an individual without full-time cybersecurity experience, as their Chief Information Security Officer. The breach’s staggering estimated cost, exceeding a billion dollars, not only disrupted UHG’s operations but also jeopardized the well-being of countless individuals relying on the company’s services and medication delivery.
- Cyberattack on Change Healthcare: The attack on Change Healthcare, which exposed the lack of multi-factor authentication (MFA) on remote access servers, triggered significant operational disruptions and cast a harsh spotlight on UHG’s cybersecurity practices – a spotlight that only intensified when Senator Wyden highlighted the company’s failure to meet the basic security standards mandated by the Federal Trade Commission (FTC) for financial services, such as implementing MFA.
- Call for Federal Investigation: Wyden urged the FTC and Securities and Exchange Commission (SEC) to investigate UHG’s cybersecurity practices to determine if any federal laws were violated and to hold any liable senior officials accountable.