Senator Urges SEC, FTC to Probe UnitedHealth’s Vulnerability to Ransomware

A top Democrat in Congress wants the U.S. Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) to investigate the ransomware attack on UnitedHealth Group’s  (UHG’s) Change Healthcare subsidiary.

Senate Finance Committee Chair Ron Wyden, D-Oregon, last week wrote to FTC Chair Lina Khan to ask her to look at UnitedHealth failures to adopt cybersecurity measures recommended by the FTC. He also asked SEC Chair Gary Gensler to examine the role of UnitedHealth’s top executives and directors in failing to establish a stronger cybersecurity program.

“The cyberattack against UHG could have been prevented had UHG followed industry best practices,” Wyden wrote in the letter. The FTC and SEC should determine whether UnitedHealth broke any federal laws under their jurisdiction and, if so, hold senior officials accountable, Wyden said.

What it means: Fear among companies in the healthcare space of becoming “the next Change Healthcare” could lead to changes in cybersecurity arrangements at many of the systems that corporate benefits plans use.

UnitedHealth announced the Change Healthcare acquisition in 2021 and completed the deal in 2022. Change Healthcare helps hospitals, physicians, insurers, and employer-sponsored health plans with tasks such as sending out bills and processing benefits claims. Before the ransomware attack, half of all U.S. health insurance claims passed through a Change Healthcare claim clearinghouse system.

The ALPHV ransomware gang got into a Change Healthcare server in February and used access to that server to get into other company systems. Change Healthcare paid the hackers a ransom, but some stolen data showed up on the web anyway. UnitedHealth responded to the attack by shutting down the Change Healthcare systems and rebuilding them from scratch.

The Senate Finance Committee brought UnitedHealth CEO Andrew Witty in for a hearing in May. Committee members blasted Witty for not being able to tell them how many people’s records were stolen. Members also blasted UnitedHealth for not protecting the server that was breached with multifactor authentication (MFA), which requires users to do more than enter a password to verify their identity.

The ransomware gang that attacked Change Healthcare likely has “sensitive health data about a substantial portion of the population,” including military personnel and other government employees, Wyden wrote in the letter. “Those records could be exploited by adversary countries, like China and Russia, to cause serious harm to U.S. national security.”

Wyden also cited the harm done to patients and providers when some Change Healthcare systems stayed offline for two months.

He said he doubts the lack of MFA protection on the server was UnitedHealth’s only cybersecurity lapse. “Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch,” Wyden said. UnitedHealth has not revealed how the hackers moved from one server to other company systems, but the most sensitive servers should have been walled off from the other servers, he added.

Wyden noted that UnitedHealth’s cybersecurity chief at the time of the hack was a technology executive with no significant cybersecurity experience. That lack of cybersecurity expertise was a symptom of weak board cybersecurity oversight, Wyden said. “One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise,” Wyden said.

From: BenefitsPRO