UnitedHealth Group CEO Scolded by 22 Attorneys General from Across U.S.


April 29, 2024

World map

Nearly two-dozen state Attorney’s General have petitioned the CEO of UnitedHealth Group over concerns following the devastating ransomware attack on subsidiary Change Healthcare that occurred in February.

The letter, signed by 22 Attorney’s General from across the nations, criticizes the company's response to the attack, stating “you must do more than you are currently to avoid imposing further harm to our states’ health care infrastructure and the patients who rely upon it.”

“Providers, pharmacies, and patients have reported catastrophic disruptions and wholly inadequate responses from Change Healthcare and its payor partners that either directly or indirectly rely upon Change. Health care entities and pharmacies within our jurisdictions have indicated that they are in jeopardy of collapse. Patients describe disruptions to their care and delayed or denied access to prescription drugs as a consequence of Change Healthcare’s failures,” the letter continues (PDF).

“To date, both Change Healthcare’s and UnitedHealth Group’s responses to the crisis have been inadequate. Care providers and non-UHG facilities are unable to reach Change Healthcare staff who can provide timely information about what data has been breached, which patients and systems may have ongoing cyber vulnerability, to what extent independent analysis has been completed to ensure vulnerabilities have been reduced or eliminated, how they can receive financial support that does not impose unreasonable conditions such as waiver of liability, or how they can document and submit claims during the outage.”

Takeaway: Ransomware attacks are increasingly putting company executives and Boards of Directors in the crosshairs of regulators and at risk of legal liability.  

Until recently, even after a serious security event, everyone went home at the end of the day, but that is likely not going to be the case moving forward as we see more regulatory and legal repercussions for those at the very top.  

We are just beginning to see more class action lawsuits, punitive regulatory actions, criminal prosecutions and potentially even jailtime for leadership following successful attacks – especially if sensitive or regulated data was compromised.

Prior to an attack, all that organizations get from the government to defend themselves from disruptive ransomware attacks are guidelines and frameworks.

But once they are successfully attacked, it seems the full force of the government kicks into gear, and regardless of whether there are valid concerns about an organization’s security operations, the outcome is essentially just revictimizing the victims.

This means that every organization that handles sensitive data is going to face regulatory scrutiny – and now potentially even criminal jeopardy – if and when they are attacked.

For company officers, it’s about material knowledge before, during and after a major security event that can put them in legal or regulatory jeopardy.  

But a punitive legal and regulatory environment will likely create top-down pressure on CISOs and security teams to be less forthcoming with the C-level and BoD when faced with a security event.

It’s not hard to see that security teams will feel pressure to not report events to leadership unless they absolutely have to, and this has the potential to negatively impact security operations that could undo more than a decade of progress in escalating security concerns to the C-suite and BoD level.

Organizations who were already struggling to defend themselves against the threat from ransomware and data extortion attacks now also face the threat of being re-victimized by an overzealous legal and regulatory landscape.

And with UnitedHealth Group dedicating $2 billion for ransomware attack recovery efforts for Change Healthcare – with $872 million spent on recovery efforts in Q1-2024 alone – it’s likely only a matter of time before the SEC and shareholders begin looking for a scapegoat.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.