Senator Asks Regulators To Sanction UnitedHealth For Lax Cybersecurity

In a letter to the heads of the SEC and the FTC, Senator Ron Wyden of Oregon said that UnitedHealth Group’s CEO Andrew Witty and the board bear responsibility for lax cybersecurity after appointing an “unqualified” CISO. Their decision led directly to the recent ransomware attack that crippled healthcare services across the US, according to Wyden.

Steven Martin, the CISO appointed in 2023, hadn’t previously held a security role. “Although Mr Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise,” Wyden said in his letter. 

The Register notes that upskilling is considered a promising solution to the cybersecurity industry’s skills shortage, “but perhaps it’s not something to rely on at the highest levels.”

Wyden brought up the lack of multi-factor identification on the remote access server hackers used to gain initial access to the company’s network, one of many failings that turned a routine hack into a crisis according to Wyden. “Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch,” the senator wrote.  

He noted that the company has yet to reveal how the hackers moved laterally from that first server to the rest of the company’s tech infrastructure. “Best practices are to wall off the most sensitive servers in an organization, specifically to prevent this type of incident,” he said.

Wyden’s letter mentioned two historical cases that led to sanctions against companies for lax cybersecurity, both brought by the FTC in 2022: The “carelessness” of alcohol-delivery platform Drizly’s CEO, which led to the exposure of 2.5 million individuals’ personal information; edtech company Chegg’s four separate blunders, that affected 40 million people. 

Bad as they were, neither breach had as broad an effect as the UnitedHealth breach. Wyden asks the regulators to investigate the multiple failures leading to the ransomware attack.