U.S. senator seeks investigation of cybersecurity lapses at UnitedHealth Group

The chair of the Senate Finance Committee is pushing two federal agencies to investigate Minnetonka-based UnitedHealth Group over IT security problems at its Change Healthcare subsidiary, keeping pressure on the company for a hugely disruptive cyberattack this year.

Sen. Ron Wyden, D-Ore., urged reviews by the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) after UnitedHealth CEO Andrew Witty testified on May 1 that hackers had accessed a portal that lacked multifactor authentication protections.

“This incident and the harm that it caused was, like so many other security breaches, completely preventable and the direct result of corporate negligence,” Wyden wrote to the agencies on Thursday.

“[UnitedHealth] has publicly confirmed that the hackers gained their initial foothold by logging into a remote access server that was not protected with multifactor authentication,” he wrote. “[Multifactor authentication] is an industry-standard cyber defense that protects against hackers who have guessed or stolen a valid username and password for a system.”

The hack, which occurred in February, significantly disrupted the claims processing system for pharmacies and health care providers across the country.

The company defended its response to the breach and cited industrywide challenges with cybersecurity.

“The malicious criminal attack on Change Healthcare — as well as other recent cyberattacks on the health system — underscores the need to fortify cyber defenses and strengthen resilience, and we look forward to working with policymakers and other stakeholders in helping develop strong, practical solutions,” UnitedHealth Group said in a statement.

“The fact that the company moved quickly and effectively in response to this attack is testament to our company’s commitment to strong cybersecurity.”

UnitedHealth Group is Minnesota’s largest company by revenue and the fourth-largest in the United States by the same measure. The company’s UnitedHealthcare division is the nation’s largest health insurer.

Final estimates aren’t yet available, but the company has said the breach could involve the personal information of up to 1 of 3 Americans. The fallout has included more than two dozen lawsuits against UnitedHealth Group.

In his letter, Wyden urged the federal agencies to hold UnitedHealth Group’s CEO and board of directors accountable for the problems.

The senator wrote it would be “unfair to scapegoat” Steven Martin, the company’s top cybersecurity official, because he “had not worked in a full-time cybersecurity role” before rising to the job at United.

The company countered that Martin “is a well-respected leader within the cyber security community and has overseen [chief information security officer] operations in a number of roles during his 30+ year career.”

UnitedHealth Group also disputed comments in Wyden’s letter that the company’s board of directors lacks meaningful expertise with cybersecurity matters.

Change Healthcare systems are being rebuilt and restored, UnitedHealth Group has said, adding that the vast majority of claims for payment from health care providers now are being processed.

Wyden, however, said the size and scope of the company’s rebuilding efforts at Change Healthcare suggests there were other problems worthy of investigation.

“Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch,” Wyden wrote.

“[UnitedHealth Group] has not revealed how the hackers gained administrative privileges and moved laterally from that first server to the rest of the company’s technology infrastructure,” he added.

“However, cybersecurity best practices are to have multiple lines of defense, and to wall off the most sensitive servers in an organization, specifically to prevent this type of incident.”