UnitedHealth leaders 'should be held responsible' for installing inexperienced CISO, senator says

Sen. Ron Wyden unloaded on UnitedHealth Group (UHG) in a letter to regulators on Thursday, calling for the company’s leaders to “be held responsible” for negligence connected to the ransomware attack on Change Healthcare. 

In the four-page letter, Wyden (D-OR) compared the incident to the compromise of SolarWinds and said UnitedHealth’s senior executives and board of directors “must be held accountable” for a cascade of reckless decisions — most notably having a chief information security officer who had not worked in a fulltime cybersecurity role before he was elevated to the job in June 2023.

“One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job,” Wyden said, referencing CISO Steven Martin. 

“Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses. Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses,” the senator wrote. 

Wyden is chairman of the Finance Committee, which has some jurisdiction over healthcare issues. In the letter, he urged the Federal Trade Commission (FTC) and U.S. Securities and Exchange Commission (SEC) to take action against UnitedHealth. 

CEO Andrew Witty told Congress earlier this month that a third of all Americans may have had information stolen by the ransomware actors, who are believed to be based in Russia. 

Wyden called the incident a disaster and said patients “have been directly harmed” — with millions spending weeks without critically needed medication. Hundreds of providers had to close or take out loans to survive the nearly two month-stretch the company spent offline. 

The letter said UnitedHealth’s leaders were reckless in several ways. The hackers broke into the company through a remote access server that was not protected with multi-factor authentication (MFA). Witty has said MFA policies were waived for servers running older software. 

Wyden noted that UnitedHealth still has not explained how access to one server enabled the hackers to shut down the Change Healthcare platform — which handled about 1 in 3 medical records and processed about half of all medical claims in the U.S.

Wyden referenced the FTC’s enforcement actions against alcohol delivery platform Drizly and education technology company Chegg as examples of companies that faced penalties for violating FTC rules around “failure to use appropriate information security practices to protect consumers’ personal information.”

For the SEC, Wyden noted that the incident severely harmed UnitedHealth’s investors and the healthcare industry more widely. The SEC’s controversial case against SolarWinds’ CISO for the company’s handling of the Russian attack on its software is an example of companies facing charges for cybersecurity negligence, according to Wyden.

“I urge the FTC and SEC to investigate UHG’s numerous cybersecurity and technology failures, to determine if any federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable,” he said. 

The SEC did not respond to requests for comment, and the FTC said it received the letter but declined to comment.