(Bloomberg) -- Senator Ron Wyden called for regulators to investigate UnitedHealth Group Inc. over what he described as “negligent” security that led to one of the largest hacks in the history of US health care.

Wyden, an Oregon Democrat, asked the Federal Trade Commission and the Securities and Exchange Commission to probe the company’s “numerous cybersecurity and technology failures” to determine if laws were broken, according to a letter to the agencies viewed by Bloomberg News.

In response to a list of questions laying out the points made in Wyden’s letter, the company said in a statement that it responded quickly and effectively to the attack and that it has a strong commitment to security.

An FTC representative had no comment, and the SEC didn’t respond.

Shares of UnitedHealth fell as much as 1.4% on Thursday. The stock had declined about 8% this year through Wednesday.

The letter adds to pressure on UnitedHealth as it seeks to move past a security breach in February that dented profits by as much as $1.6 billion, including paying a $22 million ransom to the hackers. An executive said Wednesday at a conference that the systems of the subsidiary, Change Healthcare, which were targeted are largely back. However, the company’s status website lists more than a dozen products as only partially restored. 

Wyden, who chairs the Senate Finance Committee, has already taken aim at UnitedHealth. He questioned Chief Executive Officer Andrew Witty on May 1 during testimony and claimed the company had neglected basic safeguards. Witty testified that attackers broke in through a server that wasn’t protected by multifactor authentication, a routine security measure designed to thwart online intruders.

Read More: UnitedHealth Touted Hack Repairs When Utah Was Still Reeling

The hack “caused substantial harm to consumers, investors, the health-care industry and US national security,” Wyden said in the letter. The breach was “completely preventable and the direct result of corporate negligence.”

One lingering issue is that UnitedHealth still hasn’t accounted for how many people’s data was exposed, though Witty testified it may be as many as one-third of Americans. 

The hack also likely compromised information on members of the US military and government that could be exploited by foreign adversaries, including China and Russia, Wyden wrote. UnitedHealth has said that the hackers had ties to a foreign country.

The breach caused an outage of a computer network run by Change Healthcare that processes $2 trillion in medical claims a year, rendering some pharmacies unable to process prescriptions. That left patients struggling to get treatments. 

Meanwhile, providers reported going without pay and then taking out loans and using personal funds to stay afloat. Some even closed, Wyden said. UnitedHealth has said it advanced more than $6.5 billion to providers facing cash-flow disruptions.

Wyden criticized management on several fronts, including not having a board member with any meaningful experience in cybersecurity.

The board has skills in risk management, including cybersecurity, the company said in the statement. UnitedHealth also said it recently hired a cybersecurity consulting firm to advise its directors. 

(Adds shares in fifth paragraph, link to letter in sixth paragraph.)

©2024 Bloomberg L.P.