UnitedHealth hires cybersecurity veteran as new CISO

UnitedHealth Group has hired a new cybersecurity chief about eight months after a ransomware attack on its subsidiary Change Healthcare caused disruptions across the medical industry and brought backlash from Congress.

Tim McKnight said on Tuesday that he officially joined UnitedHealth Group as CISO, taking over for Steven Martin, who is now serving as the company’s chief restoration officer. 

McKnight spent eight years as an FBI agent before taking on top cybersecurity roles at Northrop Grumman, Fidelity, General Electric, Thomson Reuters, SAP and other companies. He also was chairman of the board for the Internet Security Alliance and has served in various board positions within IBM, Palo Alto Networks, Amazon Web Services, Google and Tenable.

“I’m thrilled to share that I’ve officially joined UnitedHealth Group as Chief Information Security Officer,” he said in a LinkedIn post. 

“I look forward to partnering with Rupert Bondy and collaborating with an incredible team as we continue to advance our cybersecurity strategy and safeguarding critical information in support of helping people live healthier lives and improving the health system for everyone.”

UnitedHealth Group’s CEO faced withering criticism during a Congressional hearing in May, where several senators said UnitedHealth’s senior executives and board of directors “must be held accountable” for its decisions — most notably having a chief information security officer who had not worked in a fulltime cybersecurity role before he was elevated to the job in June 2023.

“One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job,” Sen. Ron Wyden (D-OR) said, referencing Martin. 

“Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses. Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses,” the senator wrote. 

Wyden went on to urge the Federal Trade Commission (FTC) and U.S. Securities and Exchange Commission (SEC) to take action against UnitedHealth for leaving Martin in the role and for several other notable cybersecurity failings that led to the February ransomware attack.

The incident — which UnitedHealth said last week affected more than 100 million Americans — devastated the U.S. healthcare industry for months, leaving hospitals and doctors without a way to process insurance claims for critical drugs.