US Senate finance chair slams Change Healthcare for ‘negligence’ in ransomware attack

Cybersecurity experts faulted UHG for failure to deploy multifactor authentication MFA — a basic enterprise security access control — across Change Healthcare’s servers. UHG acquired Change Healthcare in October 2022.

Letter blames inexperienced security leadership

Steven Martin, UHG’s chief information security officer, was appointed in June 2023. “He had not worked in a full-time cybersecurity role before he was elevated to the top cybersecurity position at UHG,” according to Wyden.

“Although Mr. Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise,” Wyden said.