In response to a list of questions laying out the points made in Wyden’s letter, the company said in a statement that it responded quickly and effectively to the attack and that it has a strong commitment to security.
An FTC representative had no comment, and the SEC didn’t respond.
The letter adds to pressure on UnitedHealth as it seeks to move past a security breach in February that dented profits by as much as $1.6 billion, including paying a $22 million ransom to the hackers. An executive said Wednesday at a conference that the systems of the subsidiary, Change Healthcare, which were targeted are largely back. However, the company’s status website lists more than a dozen products as only partially restored.
Wyden, who chairs the Senate Finance Committee, has already taken aim at UnitedHealth. He questioned Chief Executive Officer Andrew Witty on May 1 during testimony and claimed the company had neglected basic safeguards. Witty testified that attackers broke in through a server that wasn’t protected by multifactor authentication, a routine security measure designed to thwart online intruders.
The hack “caused substantial harm to consumers, investors, the health-care industry and US national security,” Wyden said in the letter. The breach was “completely preventable and the direct result of corporate negligence.”
One lingering issue is that UnitedHealth still hasn’t accounted for how many people’s data was exposed, though Witty testified it may be as many as one-third of Americans.
The hack also likely compromised information on members of the US military and government that could be exploited by foreign adversaries, including China and Russia, Wyden wrote. UnitedHealth has said that the hackers had ties to a foreign country.
The breach caused an outage of a computer network run by Change Healthcare that processes $2 trillion in medical claims a year, rendering some pharmacies unable to process prescriptions. That left patients struggling to get treatments.
Meanwhile, providers reported going without pay and then taking out loans and using personal funds to stay afloat. Some even closed, Wyden said. UnitedHealth has said it advanced more than $6.5 billion to providers facing cash-flow disruptions.
Wyden criticized management on several fronts, including not having a board member with any meaningful experience in cybersecurity.
The board has skills in risk management, including cybersecurity, the company said in the statement. UnitedHealth also said it recently hired a cybersecurity consulting firm to advise its directors.
© 2024 Bloomberg L.P.