Senator: UnitedHealth leaders blamed for hiring inexperienced CISO

May 30, 2024
1 min read




Article Summary

TLDR:

  • Senator Ron Wyden called for UnitedHealth Group leaders to be held responsible for negligence in installing an inexperienced CISO.
  • The ransomware attack on Change Healthcare compromised millions of Americans’ data, leading to severe consequences in the healthcare industry.

Senator Ron Wyden criticized UnitedHealth Group for installing an inexperienced Chief Information Security Officer (CISO) and called for the company’s leaders to be held accountable for negligence connected to the ransomware attack on Change Healthcare. Wyden compared this incident to the SolarWinds compromise, highlighting the importance of having qualified cybersecurity professionals in key roles. He urged the Federal Trade Commission (FTC) and U.S. Securities and Exchange Commission (SEC) to take action against UnitedHealth for its cybersecurity lapses.

The ransomware attack on Change Healthcare, believed to be orchestrated by actors in Russia, resulted in the theft of sensitive information from millions of Americans. The breach had severe consequences on the healthcare industry, with patients experiencing delays in accessing critical medication and providers facing financial strain due to the offline status of essential systems.

Wyden emphasized that UnitedHealth’s leaders were reckless in their cybersecurity practices, allowing hackers to exploit vulnerabilities such as the lack of multi-factor authentication on remote access servers. He called for investigations by the FTC and SEC to determine potential violations of federal laws and hold senior officials accountable for the cybersecurity failures that impacted both investors and consumers.

The letter from Wyden underlined the significance of cybersecurity measures in protecting sensitive data and maintaining the integrity of essential services, urging regulatory bodies to take decisive action to prevent similar incidents in the future.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and