Following the ransomware attack on Change Healthcare, which is a subsidiary of the UnitedHealth Group (UHG), members of Congress are increasing their scrutiny of UHG, looking for both accountability and solutions to prevent a similar cyberattack.
The ransomware attack on Change Healthcare paralyzed billing services for providers nationwide in late February.
Demanding Accountability
Sen. Ron Wyden, D-Ore., sent a letter on May 30 to Federal Trade Commission (FTC) Chair Lina Khan and U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler urging the agencies to hold UHG accountable for “negligent cybersecurity practices.”
“This incident and the harm that it caused was, like so many other security breaches, completely preventable and the direct result of corporate negligence,” Sen. Wyden wrote. “UHG has publicly confirmed that the hackers gained their initial foothold by logging into a remote access server that was not protected with multi-factor authentication (MFA).”
“The cyberattack against UHG could have been prevented had UHG followed industry best practices. UHG’s failure to follow those best practices, and the harm that resulted, is the responsibility of the company’s senior officials including UHG’s CEO and board of directors,” Sen. Wyden continued. “Accordingly, I urge the FTC and SEC to investigate UHG’s numerous cybersecurity and technology failures, to determine if any Federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable.”
The senator urged regulators not to scapegoat Steven Martin, UHG’s head of cybersecurity, who had not previously worked in a full-time cybersecurity role prior to being elevated to lead cybersecurity for UHG.
Instead, Sen. Wyden urged them to hold UHG’s CEO and board of directors responsible for elevating someone “without the necessary experience to such an important role.”
Demanding Solutions
Similarly, Reps. Chris Pappas, D-N.H., and Michelle Steel, R-Calif., earlier this month introduced the “Strengthening Cybersecurity in Health Care Act.” This bill would require the inspector general of the Department of Health and Human Services to conduct evaluations of the agency’s cybersecurity systems to keep health information safe.
The lawmakers noted that this bill comes in the wake of recent cyberattacks, such as the ransomware attack on Change Healthcare.
“Recent attacks on health care systems have made it clear that strengthening our cybersecurity must be a top priority to safeguard personal health information and protect access to care,” said Rep. Pappas. “This bipartisan legislation will bolster cybersecurity and support needed improvements to protect health care systems, including patient data.”
“Tackling cyberattacks is a bipartisan issue, and I will continue working with my colleagues across the aisle to pass this critical bill and strengthen our healthcare systems against future attacks,” he added.
A bipartisan companion bill in the Senate was released earlier this year.