Senator Calls for FTC, SEC Probe Into UnitedHealth’s ‘Negligence’ in Breach
The head of the U.S. Senates Finance Committee is pushing the Biden Administration to investigate what he called UnitedHealth Group’s “numerous cybersecurity and technology” that led to the massive ransomware attack in February that disrupted operations at hospitals and pharmacies around the country and continues to ripple through the health care industry.
In a four-page letter to the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC), Senator Ron Wyden (D-OR) that beyond the harm the attack inflicted on the health care facilities – including hospitals and pharmacies unable to provide care to patients, health care providers going without pay, and some businesses shutting down – the threat to people whose sensitive health data was stolen is ongoing.
The stolen data includes information about military personnel and other government employees, which means the damage could rise to the national security level adversaries like China or Russia get hold of the records.
“If these health records are made public – as hackers have done in other incidents – it could cause enormous harm to the victims,” Wyden wrote in the letter to FTC Chair Lina Khan and SEC Chair Gary Gensler. “This incident and the harm that it caused was, like so many other security breaches, completely preventable and the direct result of corporate negligence.”
Widespread Damage
Hackers spent at least nine days inside the systems of UnitedHealth (UHG) subsidiary Change Healthcare exfiltrating before launching the ransomware attack, according to UnitedHealth executives. In an update late last month, they wrote that “the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”
UnitedHealth has more than 152 million customers, and Change’s systems processes payments, medical and insurance claims, and prescription orders for hundreds of thousands of hospitals, healthcare clinics, and pharmacies in the United States. Change reportedly paid the hackers – an affiliate of the notorious BlackCat (also known as ALPHV) ransomware group – a $22 million ransom.
In the chaotic aftermath of the attack, government agencies like the Health and Human Services Department stepped in, but Wyden wants the FTC and SEC to determine if there was criminal negligence that allowed the attack to happen. The problems include not only failing to have multifactor authentication (MFA) on all of its systems but also not having company’s infrastructure prepared for a ransomware attack and posting people in sensitive security roles who didn’t have the necessary experience, he wrote.
“The cyberattack against UHG could have been prevented had UHG followed industry best practices,” Wyden wrote. “UHG’s failure to follow those best practices, and the harm that resulted, is the responsibility of the company’s senior officials including UHG’s CEO and board of directors.”
Where was the MFA?
MFA is a key point. UnitedHealth CEO Andrew Witty testified during Senate Finance Committee hearing May 1 that the organization’s policy was to have MFA for external-facing systems but admitted that the it wasn’t in place companywide at the time of the attack. Testifying before the House Energy and Commerce Committee the same day, Witty said UnitedHealth’s MFA policy didn’t cover all external servers; some systems were exempted.
“The consequences of UHG’s apparent decision to waive its MFA policy for servers running older software are now painfully clear,” Wyden wrote, noting that the FTC since 2021 has mandated companies in other industries to adopt the security measure. “But UHG’s leadership should have known, long before the incident, that this was a bad idea.”
The senator also argued that the infiltration of a single remote access server shouldn’t have led to such a massive attack that forced UnitedHealth to rebuild its infrastructure from scratch, noting that the company “has not revealed how the hackers gained administrative privileges and moved laterally from that first server to the rest of the company’s technology infrastructure. However, cybersecurity best practices are to have multiple lines of defense, and to wall-off the most sensitive servers in an organization, specifically to prevent this type of incident.”
Blame Falls on CEO and the Board
The infrastructure also should have been resilient enough so that it could be restored within hours or days of the attack rather than weeks. A reason for this likely was UnitedHealth executives appointing Steven Martin at CISO last year. Martin has worked in IT for decades – including for UnitedHealth and Change – but never full time in the cybersecurity field.
“Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job,” Wyden wrote.
The blame lies not with Martin but with Witty and UnitedHealth’s directors, who not only appointed him but also failed to follow basic cybersecurity measures, the senator wrote.