June 05,2024

Following UnitedHealth Group Ransomware Attack, Wyden Urges HHS to Require Mandatory Cybersecurity Defenses for Large Health Care Companies

In 2022, health care organizations reported over 600 breaches affecting nearly 42 million Americans

Washington, D.C. – Following UnitedHealth Group (UHG) ransomware cyberattack, Senate Finance Committee Chair Ron Wyden, D-Ore., urged the Department of Health and Human Services (HHS) to immediately mandate systemically important health care companies to improve their cybersecurity practices, and to protect against cyberattacks that can shut down medical centers for weeks and leave patients’ personal medical information exposed to criminals and foreign spies. 

Currently, the HHS’ approach of allowing the health care sector to self-regulate cybersecurity practices is insufficient and fails to protect patients’ personal information. HHS does not require companies, including UHG, to use multi-factor authentication (MFA) and other cybersecurity best practices. Wyden urged HHS to immediately put in place new security rules, including establishing minimum technical cybersecurity and resiliency standards, performing periodic audits, and providing technical assistance to providers, particularly those with low resources. 

UHG Chief Executive Officer Andrew Witty testified before the Senate Finance Committee on May 1, revealing that MFA, a basic cyber defense, was not in place at the time of the cyberattack. Months after UHG was hacked, the company has still not reported how many Americans’ data was stolen.  Cyberattacks can lead to delays in access to care, impair providers’ ability to access electronic medical records, and even result in higher mortality rates for Medicare patients already admitted to hospitals. Stolen medical records not only impact the privacy and security of individuals, they also can threaten U.S. national security when government officials or other individuals with sensitive information have information obtained by foreign adversaries.

“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers. HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the health care sector from further, devastating, easily-preventable cyberattacks,” wrote Wyden. “To its credit, HHS announced last year that it planned to update the cybersecurity regulations for the healthcare sector, which HHS has not meaningfully updated since 2003. HHS can and should go further given its role as a regulator and purchaser of health coverage for more than 150 million Americans.”

“The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security” continued Wyden. “I urge HHS to use all of its authorities to protect U.S. health care providers and patients from cybersecurity risk.” 

Last week, Senator Wyden sent a letter to Federal Trade Commission (FTC) Chair Lina S. Khan and U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler urging the agencies to hold UHG accountable for negligent cybersecurity practices, which caused substantial harm to consumers, investors, the health care system, and U.S. national security.

A copy of the letter text is here.