On June 13, 2024, Senate Finance Committee Chair Ron Wyden (D-Ore.) sent a letter to the Federal Trade Commission (FTC) and U.S. Securities and Exchange Commission (SEC) Chairs regarding the February 21 Change Healthcare ransomware attack. Senator Wyden encourages the FTC and SEC Chairs to hold UnitedHealth Group (UHG) responsible for “negligent cybersecurity practices.” He argues that the attack caused significant harm to consumers, UHG investors, the healthcare system, and national security. “This incident and the harm that it caused was, like so many other security breaches, completely preventable and the direct result of corporate negligence,” Wyden wrote in the letter. “UHG has publicly confirmed that the hackers gained their initial foothold by logging into a remote access server that was not protected with multi-factor authentication (MFA). MFA is an industry-standard cyber defense that protects against hackers who have guessed or stolen a valid username and password for a system.”
Rather than placing the responsibility on UHG’s head of cybersecurity, Wyden is urging FTC Chair Lina S. Khan and SEC Chair Gary Gensler to hold UHG’s CEO, Andrew Witty, and its board of directors responsible for the cybersecurity breach. Prior to being elevated to the cybersecurity lead, UHG’s head of cybersecurity had not previously worked in a full-time cybersecurity role. Additionally, on June 5, Senator Wyden wrote a letter to the Department of Health and Human Services (HHS) Secretary Xavier Becerra calling for stronger cybersecurity practices for healthcare companies. “It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the healthcare system vulnerable to criminals and foreign government hackers. HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the healthcare sector from further, devastating, easily-preventable cyberattacks,” Senator Wyden wrote.