US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISO

Similar cases have resulted in serious sanctions, and they were on a far smaller scale

Serial tech and digital privacy critic Senator Ron Wyden (D-OR) laid into UnitedHealth Group's (UHG) CEO for appointing a CISO Wyden deemed "unqualified"– a decision he claims likely led to its ransomware catastrophe of late.

Wyden lambasted UHG in a letter sent to Lina Khan and Gary Gensler, chairs of the FTC and SEC respectively, imploring the regulators to investigate the healthcare company's many failures leading up to the ransomware attack that downed services across the US.

One failure that caught the eye, according to the senator, had to do with Steven Martin, the CISO appointed by UHG in 2023. Wyden justified his stance by pointing out that Martin hadn't held a security-specific role during his career, despite his high-level experience in other tech roles.

"Although Mr Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise," Wyden said in his letter [PDF]. 

"Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone's first cybersecurity job."

Martin was hired by UHG in 2020 originally as its exec veep of enterprise tech after previously holding the role of acting CEO at GE Digital. Per his profile on Change Healthcare's website, at GE he also worked as the chief digital officer at GE Power and chief commercial officer at GE Digital.

Before that, Martin spent 14 years at Microsoft working in multiple roles across data science, customer acquisition, and more. He moved to Redmond after spending years in marketing roles at tech-related companies.

Not all the blame is being placed on Martin, though. Wyden said it would be unfair to scapegoat the CISO for all the company's security failings and the blame should instead lie with CEO Andrew Witty and the board for placing Martin there in the first place.

Upskilling has long been hailed as one of the more promising solutions to the cybersecurity industry's skills shortage, but perhaps it's not something to rely on at the highest levels.

In addition to highlighting the alleged recruitment gaffe, Wyden also made a point to bring up the lack of MFA on the remote access server ALPHV used to gain initial access to the company's network. It's one that many critics have latched on to since Witty revealed it at a Senate Finance Committee hearing on May 1, and many believe it is tantamount to weapons-grade negligence.

One such critic is Tom Kellermann, SVP of cyber strategy at Contrast Security, who previously told The Register: "I'm blown away by the fact that they weren't using multi-factor authentication. I'm blown away that the networks weren't segmented. And I'm blown away that they didn't conduct threat hunting robustly into that environment knowing that they had been compromised. I think it's egregious negligence, frankly."

Wyden went on to say that even with MFA not being deployed across the entirety of UHG's IT estate, it probably isn't the only cybersecurity failing that turned it from an organization that was merely targeted by cybercriminals, to one that was floored by ransomware.

"Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch," the senator wrote.  

"UHG has not revealed how the hackers gained administrative privileges and moved laterally from that first server to the rest of the company's technology infrastructure. However, cybersecurity best practices are to have multiple lines of defense, and to wall off the most sensitive servers in an organization, specifically to prevent this type of incident."

In calling for a full regulatory investigation, Wyden pointed to two historical cases that led to sanctions against companies that were found to have taken a lax approach to data security.

The FTC's cases against Drizly and Chegg – both in 2022 – were used as examples of what happens to companies that exhibit negligence for which their customers later pay the price. In both cases, the number of affected Americans was substantially smaller than the number affected by UHG's incident.

The "carelessness" of alcohol-delivery platform Drizly's CEO led to the exposure of 2.5 million individuals' personal information, while edtech giant Chegg's four separate blunders affected 40 million.

Change Healthcare's ransomware incident, however, per Witty's Senate testimony, potentially affected around one-third of all Americans.

"The cyberattack against UHG could have been prevented had UHG followed industry best practices," said Wyden, concluding his rousing letter-cum-tirade. "UHG's failure to follow those best practices, and the harm that resulted, is the responsibility of the company's senior officials including UHG's CEO and board of directors. 

"Accordingly, I urge the FTC and SEC to investigate UHG's numerous cybersecurity and technology failures, to determine if any federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable." ®

More about


Send us news

Other stories you might like