Senator Ron Wyden, easily one of the most tech-savvy US lawmakers, has written a scathing letter saying UnitedHealth Group’s (UHG)CEO and board “should be held responsible” for hiring an unqualified CISO.
UHG suffered a devastating ransomware attack in early 2024. Hackers, claiming to be part of BlackCat, claimed to have absconded with six terabytes of data. UHG CEO Andrew Witty ultimately made the decision to pay a $22 million ransom to regain access to company systems.
In the wake of the attack, damning details have emerged regarding the company’s cybersecurity—or lack thereof. For example, as Senator Wyden writes in a letter to FTC Chairwoman Lina Khan, despite multi-factor authentication (MFA) being company policy for all “externally facing systems,” the company had failed to enforce it, leading to a remote server being compromised. To make matters worse, Witty revealed testimony before Congress, that MFA was not in place company wide at the time of his testimony, nor was the policy enforced in all instances.
“In certain situations where you might have, for example, older technologies which have been upgraded, you might — you may have security controls around those systems as a — as a compensatory factor,” Witty told Congress.
Senator Wyden emphasizes the utter lack of good judgment the above statement demonstrates.
The consequences of UHG’s apparent decision to waive its MFA policy for servers running older software are now painfully clear. But UHG’s leadership should have known, long before the incident, that this was a bad idea.
Senator Wyden then takes aim at UHG’s hiring of Steven Martin for the role of CISO, saying he appeared to be unqualified for the role.
One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. Steven Martin, UHG’s chief information security officer (CISO), had not worked in a full- time cybersecurity role before he was elevated to the top cybersecurity position at UHG in June, 2023, after working in other roles at UHG and Change Healthcare. Although Mr. Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise. Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.
Senator Wyden makes a point of saying that Martin should not be scapegoated for UHG’s failure. Instead, the CEO and board bear responsibility.
Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses. Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses. The Audit and Finance committee of UHG’s board, which is responsible for overseeing cybersecurity risk to the company, clearly failed to do its job. One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise.
The senator calls on Lina Khan and the FTC to investigate UHG’s cybersecurity failures—making the point that there are likely many more given how serious this one is—and hold senior leadership accountable.