Senator Wyden calls for investigation into UnitedHealth cybersecurity vulnerabilities

The chairman of the Senate Finance Committee is pushing two federal agencies to investigate Minnetonka-based UnitedHealth Group over IT security problems at its Change Healthcare subsidiary, putting pressure on the company that suffered a highly disruptive cyberattack earlier this year.

Senator Ron Wyden (D-Oregon) called for investigations by the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) after Andrew Witty, CEO of UnitedHealth Group (UHG), testified on May 1 that hackers accessed a portal that lacked multi-factor authentication protection.

“This incident and the damage it caused, like so many other safety breaches, were entirely preventable and the direct result of the company’s negligence,” Wyden wrote to authorities on May 30.

“UHG has publicly confirmed that the hackers gained their initial access by logging into a remote access server that was not protected with multi-factor authentication (MFA),” he wrote. “MFA is an industry-standard cyber defense that protects against hackers who guess or steal a valid username and password for a system.”

The hack occurred in February and caused significant disruption to the claims processing systems of pharmacies and healthcare providers across the country.

The company defended its response to the incident, citing industry-wide cybersecurity challenges.

“The vicious criminal attack on Change Healthcare – as well as other recent cyberattacks on the healthcare system – underscore the need to strengthen cyber defenses and increase resilience, and we look forward to working with policymakers and other stakeholders to develop strong, practical solutions,” UnitedHealth Group said in a statement. “The fact that the company responded quickly and effectively to this attack is a testament to our company’s commitment to strong cybersecurity.”

UnitedHealth Group is Minnesota’s largest company by revenue and the fourth-largest company in the United States by the same measure. The company’s UnitedHealthcare division is the largest health insurer in the country.

Final estimates are not yet available, but the company has stated that the data theft could affect the personal information of up to one in three Americans. As a result, more than two dozen lawsuits have been filed against UnitedHealth Group so far.

In his letter, Wyden called on federal authorities to hold UnitedHealth Group’s CEO and board accountable for the problems.

The senator wrote that it would be “unfair to scapegoat Steven Martin, the company’s top cybersecurity officer” because he “did not hold a full-time cybersecurity position” before taking the job at United. The company countered that Martin was “a highly respected leader within the cybersecurity community and (as chief information security officer) has led operations in a number of roles over his 30-plus year career.”

UnitedHealth Group also disputed comments in Wyden’s letter that the company’s board lacked necessary expertise on cybersecurity issues.

UnitedHealth Group said the systems at Change Healthcare are being rebuilt and restored. The vast majority of healthcare providers’ payment claims are currently being processed.

However, Wyden said the scale and scope of the company’s rebuilding efforts at Change Healthcare suggested there were other issues that required investigation.

“If hackers gain access to a remote access server, it should not result in a ransomware infection so severe that the company has to rebuild its digital infrastructure from scratch,” Wyden wrote.

“UHG did not disclose how the hackers gained administrative privileges and moved from that first server into the rest of the company’s technical infrastructure,” he added. “However, cybersecurity best practices are to have multiple lines of defense and to cordon off the most sensitive servers in an organization to prevent these types of incidents.”