Senator urges SEC, FTC to probe UnitedHealth's vulnerability to ransomware attack

A top Democrat in Congress wants the U.S. Security and Exchange Commission and the Federal Trade Commission to investigate the ransomware attack on UnitedHealth Group’s Change Healthcare subsidiary.

Senate Finance Committee Chair Ron Wyden, D-Ore., last week wrote to FTC Chair Lina Khan to ask her to look at UnitedHealth failures to adopt cybersecurity measures recommended by the FTC.

He asked SEC Chair Gary Gensler to examine the role of UnitedHealth’s top executives and directors in failing to establish a stronger cybersecurity program.

“The cyberattack against UHG could have been prevented had UHG followed industry best practices,” Wyden wrote in the letter.

The FTC and SEC should determine if UnitedHealth broke any federal laws under their jurisdiction and, if so, hold senior officials accountable, Wyden said.

What it means: Companies’ fear of becoming the “next Change Healthcare” could lead to changes in cybersecurity arrangements at many of the systems that benefit plans and benefits professionals use.

UnitedHealth announced the Change acquisition in 2021 and completed the deal in 2022.

Change helps hospitals, physicians, insurers and employer-sponsored health plans with tasks such as sending out bills and processing benefits claims. Before the ransomware attack, half of all U.S. health insurance claims passed through a Change health claim clearinghouse system.

The ALPHV ransomware gang got into a Change server in February and used access to that server to get into other company systems.

Change paid the hackers a ransom, but some stolen data showed up on the web anyway.

UnitedHealth responded to the attack by shutting down the Change systems and rebuilding them from scratch.

The Senate Finance Committee brought UnitedHealth CEO Andrew Witty in for a hearing in May. Committee members blasted Witty for not being able to tell them how many people’s records were stolen.

Members also blasted UnitedHealth for not protecting the server that was breached with multi-factor authentication or the use of a system that forces users to do more than enter their passwords to verify their identity.

The ransomware gang that attacked Change likely has “sensitive health data about a substantial portion of the population,” including military personnel and other government employees, Wyden wrote in the letter.

“Those records could be exploited by adversary countries, like China and Russia, to cause serious harm to U.S. national security,” Wyden said.

He also cited the harm done to patients and providers when some Change systems stayed offline for two months.

Wyden said that he doubts the lack of MFA protection of the server was UnitedHealth’s only cybersecurity lapse.

“Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch,” Wyden said.

Related: UnitedHealth CEO grilled by Senate panel for cybersecurity failings in massive hack

UnitedHealth has not revealed how the hackers moved from one server to other company systems, but the most sensitive servers should have been walled off from the other servers, he said.

He noted that UnitedHealth’s cybersecurity chief at the time of the hack was a technology executive with no significant cybersecurity experience.

The cybersecurity chief’s lack of cybersecurity experience was a symptom of weak board cybersecurity oversight, Wyden said.

“One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise,” Wyden said.