Inexperienced CISO Held Responsible for Cyberattack on Change Healthcare


Senator Wyden Urges Investigation into UnitedHealth Group’s Cybersecurity Practices and Calls for Accountability

Senator Ron Wyden, Chairman of the Senate Committee on Finance, has called for a thorough investigation into UnitedHealth Group’s (UHG) cybersecurity practices following a devastating cyberattack on its subsidiary, Change Healthcare. In a letter to federal regulators, Senator Wyden emphasized the need to hold UHG, its senior executives, and board of directors accountable for the harm caused to consumers, investors, the healthcare industry, and U.S. national security.

The cyberattack on Change Healthcare, which Senator Wyden linked to the SolarWinds data breach, has raised serious concerns about UHG’s cybersecurity integrity. The appointment of a Chief Information Security Officer with no prior full-time experience in cybersecurity has been highlighted as a clear example of corporate negligence that has put stakeholders at risk.

The incident involved hackers exploiting a remote access server at Change Healthcare that lacked multi-factor authentication, leading to a ransomware infection that disrupted UHG’s operations. UHG CEO Andrew Witty admitted during a Senate Finance Committee hearing that the company’s MFA policy was not uniformly implemented across all external servers, exposing broader cybersecurity deficiencies.

Senator Wyden pointed out that the failure to implement MFA on all servers contradicts industry standards and regulatory expectations, as mandated by the FTC’s Safeguards Rule. The financial implications of the breach, estimated at over a billion dollars by UHG, underscore the importance of robust cybersecurity practices for investor confidence and market stability.

Wyden’s call for regulatory action underscores the need for accountability in corporate governance regarding cybersecurity risks. The investigation into UHG’s cybersecurity and technology practices aims to determine if federal laws were violated and to address the oversight failures of the Audit and Finance Committee responsible for cybersecurity risk oversight. As cybersecurity threats continue to evolve, the case serves as a stark reminder of the critical importance of proactive cybersecurity measures in safeguarding sensitive data and maintaining business continuity.

Related articles

Recent articles