Wyden calls for FTC probe into Microsoft over Ascension hack

Sen. Ron Wyden (D-Ore.) sent a letter to Federal Trade Commission Chairman Andrew Ferguson, urging the FTC to investigate Microsoft's role in "enabling" the 2024 Ascension cyberattack. The senator alleged that Microsoft's "dangerously insecure default settings" allowed the hackers to gain access to Ascension's network.

Ascension, which operates more than 140 hospitals across 19 U.S. states, suffered a ransomware attack in May 2024 that disrupted its network, including its EHR system. Hospitals had to revert to paper records and use manual processes for dispensing medication, contacting patients and ordering diagnostic tests. Ascension restored EHR access across the organization weeks later. The incident resulted in a data breach that affected 5.6 million individuals.

In his letter to the FTC, Wyden argued that Microsoft was to blame, given that the tech giant has a "de facto monopoly over the operating systems used by most companies and government agencies."

"In its default configuration, Microsoft Windows is incredibly vulnerable to ransomware infections. Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection," the letter stated.

"Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software."

To Wyden, the Ascension ransomware attack "perfectly illustrates the problem caused by Microsoft," since the cyberattack allegedly began when a contractor using an Ascension laptop conducted a search using Microsoft's Bing search engine. The individual clicked on a malicious link in the search results, which gave hackers an entry point into Ascension's network, the letter stated.

Wyden argued that Microsoft's continued support of RC4, an outdated encryption technology from the 1980s, enabled hackers to use a technique called Kerberoasting to gain access to privileged accounts. Although the threat can be mitigated by setting passwords that are at least 14 characters long, Microsoft does not require this password length. Wyden suggested that the company has repeatedly failed to inform customers about key cybersecurity best practices.

"There is one company benefiting from this status quo: Microsoft itself. Instead of delivering secure software to its customers, Microsoft has built a multibillion dollar secondary business selling cybersecurity add-on services to those organizations that can afford it," the letter continued.

"At this point, Microsoft has become like an arsonist selling firefighting services to their victims. And yet government agencies, companies, and nonprofits like Ascension have no choice but to continue to use the company's software, even after they are hacked, because of Microsoft's near-monopoly over enterprise IT."

With this in mind, Wyden urged the FTC to look into Microsoft's practices and hold it accountable for a "culture of negligent cybersecurity."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.