Sen. Ron Wyden is urging regulators to investigate UnitedHealth Group for what he termed "negligent" security practices, which he believes contributed to the February cyberattack on its subsidiary Change Healthcare.
On May 30, Mr. Wyden wrote a letter to the FTC and the Securities and Exchange Commission asking the agencies to probe UnitedHealth Group for "negligent cybersecurity practices."
"UHG has publicly confirmed that the hackers gained their initial foothold by logging into a remote access server that was not protected with multi-factor authentication (MFA)," Mr. Wyden wrote. "MFA is an industry-standard cyber defense that protects against hackers who have guessed or stolen a valid username and password for a system."
Mr. Wyden also argued that the attack could have been averted if the company had adhered to industry best practices.
"UHG's failure to follow those best practices, and the harm that resulted, is the responsibility of the company's senior officials including UHG's CEO and board of directors," he wrote. "Accordingly, I urge the FTC and SEC to investigate UHG's numerous cybersecurity and technology failures, to determine if any federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable."
On May 1, UnitedHealth Group CEO Andrew Witty testified before the Senate Finance Committee, disclosing that MFA was not implemented at the time of the Change hack.
Since the hack, Mr. Witty said all of the company's external-facing systems have multifactor authentication enabled.