Holding Leadership Accountable for Cybersecurity Failures in Healthcare Industry

**U.S. Senator Calls for Accountability in UnitedHealth Group Cyberattack Investigation**
Senator Ron Wyden, D-Ore., is pushing for the U.S. Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) to investigate the February cyberattack on UnitedHealth Group’s Change Healthcare unit, emphasizing the need for accountability at the highest levels of the company. Wyden, chair of the Senate Finance Committee, highlighted the significant harm caused by the attack on consumers, investors, the healthcare sector, and national security, and pointed to what he perceives as “negligent cybersecurity practices” within UnitedHealth Group.
In a noteworthy development, Wyden has asked the agencies not to blame the company’s Chief Information Security Officer (CISO), Steven Martin, for the cybersecurity lapses, arguing that Martin, despite his extensive technology background, lacked specific cybersecurity experience when he took on the top cybersecurity role in June 2023. Instead, Wyden is urging the SEC and FTC to hold the company’s CEO, Andrew Witty, and the board of directors accountable, arguing they are ultimately responsible for the cybersecurity failures.
The call for accountability comes after UnitedHealth Group CEO Andrew Witty testified before two congressional committees regarding the cyberattack and the company’s cybersecurity policies, including the use of multifactor authentication (MFA). Senator Wyden criticized the company for waiving its MFA policy for servers running older software, a decision that has come under scrutiny following the cyberattack.
UnitedHealth Group, in response to the incident, has stated its commitment to strong cybersecurity and its intention to work with policymakers and stakeholders to develop practical solutions. The company highlighted its quick and effective response to the attack and pointed to the experience of its board members in risk management and cybersecurity as evidence of its capacity to manage cyber risks.
The FTC has confirmed receipt of Wyden’s letter, although further comments were declined, and the SEC has yet to respond. The incident and the subsequent calls for investigation underscore the ongoing concerns around cybersecurity in the healthcare industry and the importance of accountability at the highest levels of corporate governance.