Getty Images/iStockphoto
Senator asks FTC, SEC to investigate UnitedHealth’s cybersecurity practices
Sen. Ron Wyden requested that the FTC and SEC chairs investigate UHG’s “numerous cybersecurity and technology failures” to determine whether federal laws were broken.
In a letter to the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) chairs, Sen. Ron Wyden (D-Ore.) urged the two commissions to investigate UnitedHealth Group (UHG) in the wake of the Change Healthcare cyberattack.
The HHS Office for Civil Rights (OCR) is actively investigating Change Healthcare’s compliance with HIPAA, but Wyden suggested that UHG’s compliance with FTC and SEC rules also deserves scrutiny.
“This incident and the harm that it caused was, like so many other security breaches, completely preventable and the direct result of corporate negligence,” Wyden wrote.
Wyden highlighted UHG CEO Andrew Witty’s federal testimonies delivered in May, in which Witty explained that hackers gained access to Change systems by logging into a remote access server that was not protected by multifactor authentication (MFA).
“The consequences of UHG’s apparent decision to waive its MFA policy for servers running older software are now painfully clear,” Wyden reasoned. “But UHG’s leadership should have known, long before the incident, that this was a bad idea.”
Considering these factors, Wyden suggested that the FTC use its authority to hold UHG accountable and enforce consumer protection standards. Wyden cited past FTC cases against the alcohol delivery platform Drizly and the education tech company Chegg, both of which were required to implement phishing-resistant MFA as a result of the FTC’s investigations. Considering the FTC’s past settlements, Wyden reasoned that the commission could investigate UHG in a similar manner.
“While UHG has not yet made public the full details of this incident, UHG’s failure to require MFA is unlikely to be the company’s only cybersecurity lapse,” Wyden added.
Additionally, Wyden urged the SEC to exercise its authority to investigate UHG, which is a publicly traded company.
In the 2023 case against SolarWinds, The SEC held that publicly traded companies “are required to develop reasonable safeguards against unauthorized access to Company assets by designing and maintaining reasonable controls to prevent and detect unauthorized access to, or use of, its assets.”
Wyden suggested that if the FTC and SEC choose to investigate UHG, it will ensure that UHG senior officials are held accountable and that the company has ramped up its security practices to prevent future incidents.
