June 13,2024

Wyden Urges Biden Administration to Investigate UnitedHealth Group Negligent Cybersecurity

Washington, D.C. – Senate Finance Committee Chair Ron Wyden, D-Ore., sent a letter to Federal Trade Commission (FTC) Chair Lina S. Khan and U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler urging the agencies to hold UnitedHealth Group (UHG) accountable for negligent cybersecurity practices, which caused substantial harm to consumers, investors, the health care system, and U.S. national security.

UHG announced that the computer systems of its subsidiary Change Healthcare were infected with ransomware on February 21, 2024. In addition, the company publicly stated that sensitive data may have been stolen, including information on military personnel and other U.S. government employees. As a result of the cyberattack, providers have gone without pay, forced to take out loans, use personal funds, and even close. Patients have not collected prescriptions from pharmacies and lost access to care. Adversary countries, such as China and Russia, could also exploit stolen records and cause serious damage to U.S. national security. 

“This incident and the harm that it caused was, like so many other security breaches, completely preventable and the direct result of corporate negligence,” Wyden wrote. “UHG has publicly confirmed that the hackers gained their initial foothold by logging into a remote access server that was not protected with multi-factor authentication (MFA). MFA is an industry-standard cyber defense that protects against hackers who have guessed or stolen a valid username and password for a system.”

“The cyberattack against UHG could have been prevented had UHG followed industry best practices. UHG’s failure to follow those best practices, and the harm that resulted, is the responsibility of the company’s senior officials including UHG’s CEO and board of directors,” Wyden continued. “Accordingly, I urge the FTC and SEC to investigate UHG’s numerous cybersecurity and technology failures, to determine if any federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable.”

The SEC set a major precedent in 2023, by holding SolarWinds’ chief information security officer responsible for the company’s lax cybersecurity. In contrast, Wyden urged regulators not to scapegoat UHG’s head of cybersecurity, who had not previously worked in a full-time cybersecurity role prior to being elevated to lead cybersecurity for UHG. Instead, Wyden urged regulators to hold the company’s CEO and its board of directors responsible.

UHG Chief Executive Officer Andrew Witty testified before the Senate Finance Committee on May 1, 2024, revealing that MFA, a basic cyber defense, was not in place at the time of the cyberattack. The FTC has previously punished other companies for failing to secure their systems with MFA, including the alcohol delivery platform Drizly and the education technology company Chegg.

A copy of the letter text is here.

###