Oregon Sen. Ron Wyden is calling on the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) to hold UnitedHealth Group accountable for "negligent cybersecurity practices" that allowed hackers to breach its Change Healthcare subsidiary.
In a letter (PDF) to FTC Chair Lina Khan and SEC Chair Gary Gensler, Wyden said the cyberattack caused significant disruptions for patients and providers, and it could also pose a national security risk if hostile nations secure information that was stolen from Change's servers.
UnitedHealth revealed the ransomware attack on Feb. 21 and since then has revealed that the hackers appear to have been inside Change Healthcare's system for nine days removing data before deploying ransomware. CEO Andrew Witty said the server that was breached did not have two-factor authentication enabled, which is a basic cybersecurity measure.
Wyden, who chairs the Senate Finance Committee, said the FTC and the SEC should investigate the breach to identify whether any laws were broken due to missed cybersecurity protections and hold the company's top brass accountable for any lapses.
"This incident and the harm that it caused was, like so many other security breaches, completely preventable and the direct result of corporate negligence,” Wyden wrote.
“The cyberattack against UHG could have been prevented had UHG followed industry best practices," he continued. "UHG’s failure to follow those best practices, and the harm that resulted, is the responsibility of the company’s senior officials including UHG’s CEO and board of directors."
Wyden noted in the letter that the SEC has set a precedent in this area last year by holding the chief technology officer of software company SolarWinds accountable for "lax cybersecurity." Wyden said regulators shouldn't "scapegoat" UnitedHealth's head of cybersecurity, who had not held a full-time cybersecurity role previously, and instead pointed to the company's board and Witty.
The FTC has also punished companies that failed to implement multifactor authentication, Wyden added.
"The Audit and Finance committee of UHG’s board, which is responsible for overseeing cybersecurity risk to the company, clearly failed to do its job," Wyden said. "One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise."