A US Senate committee chair is urging the administration of President Joe Biden to hold UnitedHealth Group (UHG) accountable for negligent cybersecurity practices in a ransomware attack against subsidiary Change Healthcare that disrupted medical payment and claims processing across the US.
In an open letter to the Federal Trade Commission (FTC) and US Securities and Exchange Commission (SEC), Senate Finance Committee chair Ron Wyden described the breach as “completely preventable and the direct result of corporate negligence.”
During Congressional testimony last month, UHG chief executive Andrew Witty said that cybercriminals first hacked into Change Healthcare’s network after logging into a remote access server unprotected by multifactor authentication. The cybercriminals expanded their reach into the compromised network and stole tens of millions of confidential files before deploying the ALPHV/BlackCat ransomware.
Cybersecurity experts faulted UHG for failure to deploy multifactor authentication MFA — a basic enterprise security access control — across Change Healthcare’s servers. UHG acquired Change Healthcare in October 2022.
Letter blames inexperienced security leadership
Steven Martin, UHG’s chief information security officer, was appointed in June 2023. “He had not worked in a full-time cybersecurity role before he was elevated to the top cybersecurity position at UHG,” according to Wyden.
“Although Mr. Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise,” Wyden said.
While drawing attention to possible shortcomings in the experience of its senior cybersecurity staff, Wyden laid the blame for the hugely disruptive Change Healthcare ransomware attack squarely at the feet of its board.
“The cyberattack against UHG could have been prevented had UHG followed industry best practices,” Wyden said in a statement. “UHG’s failure to follow those best practices, and the harm that resulted, is the responsibility of the company’s senior officials including UHG’s CEO and board of directors. While UHG has not yet made public the full details of this incident, UHG’s failure to require MFA is unlikely to be the company’s only cybersecurity lapse.”
UHG did not respond to requests by CSO for comment.
Disaster recovery plan had shortcomings
Wyden further faulted UHG for shortcomings in its disaster recovery plan. Change Healthcare’s systems had to be rebuilt from scratch and the disruption of its services — including medical and dental claims and remittances, prior authorization for prescriptions — which lasted for weeks after the attack.
UHG took an $872-million charge in the first quarter of fiscal 2024 to budget for its response to the ransomware attack, with $593 million spent on accelerated payments and interest-free loans to help providers affected by the disruption. The remainder is going towards rebuilding Change Healthcare’s systems, establishing improved security controls and hiring external security consultants.
UHG also paid a $22-million ransom in Bitcoin to cybercriminals.
Attack against SolarWinds cited as precedent to the Change Healthcare incident
In calling for the SEC to investigate UHG, Sen. Wyden said that the investigation of the 2022 SolarWinds supply chain attack had established a precedent that “cybersecurity practices are important to every publicly traded company”.
In October 2023, the SEC took the then-unprecedented step of suing SolarWinds and its CISO for alleged misstatements and control failures related to the cyberattack. The lawsuit, which remains ongoing, is controversial and opposed by cybersecurity industry leaders who describe it as counterproductive because it might discourage companies from cooperating with governments and sharing threat intelligence.
Wyden argued that potential investors were left in the dark about the true state of UHG’s cybersecurity practices, contending that the healthcare giant had failed to take reasonable safeguards in protecting its assets.
The FTC has required financial services companies to do adopt MFA since 2021 and encourages other enterprises to introduce the technology.
Potential action by either the SEC or FTC is perhaps the least of UHG’s immediate regulatory and compliance concerns, which more likely centre on charges it may have violated strict healthcare sector privacy regulations.
The US Department of Health and Human Services (HHS) has already initiated an investigation into the cyberattack on Change Healthcare, focusing on the potential exposure of protected health information.