UnitedHealth Group, which this month confirmed that the sensitive personal information of more than 100 million people was compromised during a massive data breach earlier this year, now has a new top cybersecurity executive.

Tim McKnight, who brings years of cybersecurity experience with organizations like SAP, Thomson Reuters, GE, and Northrup Grumman, announced the new job in a brief LinkedIn post this week, writing that he will work with other company executives “as we continue to advance our cybersecurity strategy and safeguarding critical information in support of helping people live healthier lives and improving the health system for everyone.”

He also has served as chairman of the Internet Security Alliance and has served on boards of directors of companies like IBM and Amazon Web Service and advisory boards of Google and ClearSky.

He replaces Steven Martin, a longtime IT executive with UnitedHealth took the CISO job nine months before the ransomware attack. Martin became a target of some Congressional lawmakers who criticized UnitedHealth for putting him in the CISO role even though he had no cybersecurity experience. Martin now has a new role with the company, as chief restoration officer.

In the Breach

McKnight steps into the job as the massive healthcare insurance company continues to clean up the debris from the ransomware attack by an affiliate of the now-defunction BlackCat – also known as ALPHV – threat group on a United Healthcare subsidiary that roiled the industry, forcing the company to shut down systems and disrupted the operations at health care facilities and pharmacies around the country.

The threat actors targeted Change Healthcare, a subsidiary of UnitedHealth whose systems processes payments, medical and insurance claims, and prescription orders for hundreds of thousands of hospitals, healthcare clinics, and pharmacies in the United States. When those systems went down, some pharmacies were unable to fill prescriptions, health care facilities couldn’t get paid, and some businesses shut down.

UnitedHealth, which has 152 million customers, said in the wake of the attack that about a third of the U.S. population could have had their data compromised and later said in a notice that it could affect a “substantial proportion of people” in the United States. The updated number, which was posted on a list of data breaches maintained by the U.S. Health and Human Services Department’s Office for Civil Rights.

Attackers Stole 6TB of Data

The attackers, who spent nine days inside the Change network before being detected, stole about 6TB of data that included information related to people’s health care, including medical record numbers and diagnoses, health care insurance, and billing and payments. Other personal information like Social Security Numbers and driver’s license numbers also were taken.

Lawmakers sharply criticized UnitedHealth’s security measures. In a letter in May to the Federal Communications Commission and Federal Trade Commission, Senator Ron Wyden, D-OR, noted that the attackers were able to access into internal IT systems through a remote server that wasn’t protected by multifactor authentication (MFA). Wyden also said that UnitedHealth had not prepared for a ransomware attack by ensuring that affected systems could be quickly restored.

Lawmaker Points to Inexperienced CISO

The senator suggested that some of the failures likely came from UnitedHealth installing Martin as CISO despite him never having worked in a fulltime cybersecurity role. His experience included IT roles with UnitedHealth and Change.

“Although Mr. Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise,” he wrote. “Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.”

That said, Wyden wrote that the fault was more with UnitedHealth CEO Andrew Witty and the company’s board of directors than with Martin “for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses.”