Sen. Ron Wyden, D-Ore., has called for an investigation into Microsoft by the Federal Trade Commission for its alleged role in the cyberattack on Ascension, a major health system based in St. Louis. In a letter to FTC Chairman Andrew Ferguson, Wyden accused Microsoft of providing insecure software to government agencies and critical infrastructure sectors, including healthcare, which contributed to the ransomware attack on Ascension last year.
The attack on Ascension resulted in critical technology systems being offline for weeks, ambulances being diverted, and the sensitive health data of 5.5 million individuals being exposed. Wyden highlighted Microsoft’s dominant position in the market with its Windows operating system, which is widely used by companies and government agencies. He raised concerns about Windows’ vulnerability to ransomware attacks, stating that a single employee clicking on a malicious link could lead to a widespread cyberattack.
Wyden pointed to the specific incident at Ascension where a contractor inadvertently clicked on a malware-infected link while using a company laptop, allowing hackers to gain access to the network and spread ransomware. The attackers exploited an outdated encryption technology called RC4, which Microsoft has not disabled by default in Windows. Despite promises to release an update to address this issue, Microsoft has yet to take action.
The senator criticized Microsoft for profiting from selling cybersecurity services while failing to adequately address security vulnerabilities in its software. He likened the situation to an arsonist selling firefighting services to their victims, noting that organizations have no choice but to continue using Microsoft’s software due to its near-monopoly in the market.
In response to Wyden’s allegations, Microsoft stated that it had already removed another encryption standard with similar issues to RC4 and plans to disable RC4 by default in new installations of Active Directory Domains next year. The company emphasized its efforts to discourage the use of RC4 and provide guidance on safer encryption practices.
The FTC confirmed receipt of Wyden’s letter but declined to comment further. Ascension did not respond to requests for comment at the time of publication. The ongoing debate highlights the importance of cybersecurity in the healthcare sector and the need for technology companies to prioritize the protection of sensitive data.
