US Senator Ron Wyden has accused Microsoft of major cybersecurity lapses that allowed hackers to breach a large hospital system last year. The Oregon Democrat is pushing the Federal Trade Commission to probe the tech giant over what he calls gross negligence in protecting critical networks.
Details of the Ascension Ransomware Attack
In May 2024, hackers hit Ascension, one of the biggest nonprofit health systems in the US. The attack disrupted operations at over 140 hospitals across 19 states, forcing staff to switch to paper records and delaying patient care.
The breach started when an employee clicked a bad link from a Bing search, downloading malware that gave attackers a foothold. From there, they used a method called Kerberoasting to crack passwords and spread ransomware. This led to stolen data from more than 5.6 million patients, including medical records and personal details.
Ascension worked to restore systems over weeks, but the incident highlighted risks in healthcare tech. Officials later confirmed the attack came from a group linked to previous ransomware operations.
Experts say such attacks cost the US healthcare sector billions each year. In 2024 alone, ransomware incidents rose by 20 percent, according to industry reports.
Wyden’s Push for FTC Investigation
Wyden sent a letter on September 10, 2025, to FTC Chair Andrew Ferguson, demanding an inquiry into Microsoft’s role. He pointed to outdated encryption like RC4, which Windows uses by default, making systems easy targets for password cracking.
The senator argued that Microsoft’s choices put national security at risk, especially in critical areas like hospitals. He noted that his team found the Ascension hack exploited these flaws, leading to widespread disruption.
Wyden has criticized Microsoft before, linking it to other breaches. He wants the FTC to hold the company accountable and force changes to prevent future attacks.
In his view, Microsoft’s market dominance worsens the problem, as many organizations rely on its software without better options.
This call comes amid growing scrutiny of big tech’s security practices. Lawmakers from both parties have raised alarms about cyber threats to infrastructure.
Microsoft’s Defense and Planned Fixes
Microsoft responded by saying it discourages RC4 use and plans to phase it out. A spokesperson explained that the old encryption handles less than 0.1 percent of traffic, but fully dropping it could break customer systems.
The company aims to disable RC4 in new Active Directory setups starting in 2026. It also released guidance in October 2024 on avoiding Kerberoasting, after Wyden first raised concerns.
Microsoft stressed its ongoing security improvements, including updates after a 2023 report blamed weak practices for a Chinese hacking incident that stole US officials’ emails.
Despite these steps, critics say the fixes are too slow. Wyden claims most users remain vulnerable because updates are not yet rolled out widely.
The tech firm has faced similar heat over other flaws, like a 2025 SharePoint vulnerability that hit over 400 groups, including US nuclear agencies.
Broader Impact on Cybersecurity
Ransomware attacks on hospitals can endanger lives by delaying treatments and exposing sensitive data. The Ascension case suspended surgeries and forced ambulances to reroute patients.
This incident fits a pattern of rising cyber threats. In 2024, healthcare saw over 300 reported breaches, affecting millions.
Key factors making hospitals targets include:
- Outdated software in medical devices
- High value of patient data on black markets
- Limited IT budgets for security upgrades
A table below shows major US healthcare hacks in recent years:
| Year | Organization | Impact | Stolen Data |
|---|---|---|---|
| 2023 | HCA Healthcare | Exposed records of 11 million patients | Names, emails, appointments |
| 2024 | Ascension | Disrupted 140 hospitals, surgeries halted | 5.6 million patient records |
| 2025 | Change Healthcare | Nationwide payment delays | Billing info for one-third of Americans |
These events push for stronger regulations. Experts recommend multi-factor authentication and regular software patches to reduce risks.
Why This Matters for National Security
Wyden warns that Microsoft’s issues threaten more than just hospitals. With its software in government and business networks, flaws could lead to wider attacks on power grids or transport systems.
He tied this to past events, like the 2023 SolarWinds hack that hit federal agencies through Microsoft tools. Such breaches show how one weak link can cause massive fallout.
Industry leaders agree change is needed. Some suggest breaking up tech monopolies to encourage better security competition.
As cyber threats grow, with state actors like China and Russia involved, the US must act fast. Wyden’s letter could spark hearings or new laws on software standards.
Looking Ahead to Potential Changes
The FTC has not commented yet, but past probes into tech firms have led to fines and reforms. If investigated, Microsoft might face pressure to speed up security updates.
This story underscores the need for robust cyber defenses in everyday tech. Hospitals and companies should audit their systems now to avoid similar fates.
Share your thoughts on Microsoft’s security or if you’ve faced cyber issues. Comment below and spread the word to raise awareness.
