[Material-Incidents] No. 6

UnitedHealth Group files an update

Hey Everyone,

This week, we’ll be following a slightly different format. Rather than diving into general trends and analysis of SEC filings, we’ll be looking specifically at the recent 8K/A that was filed by United Health Group. This is the second addendum filed since their incident began back in February and first filing update since early March. The filing was short and contained a link to a company press release:

Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America. To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.

The update, although vague on specific numbers, paints a clear picture: many, if not the majority, of Americans have been impacted by this breach. This official press release gives some credence to statements from the cybercrime group ‘Black Cat’, who claimed responsibility and alleged they’d stolen 6TB worth of data from Change Healthcare’s network. The company also confirmed a ransom was paid as “part of the company’s commitment to do all it could to protect patient data from disclosure”. This ransom ($22M BTC) was discussed in the first Material-Incidents newsletter (here). The company has since set up a dedicated site (http://changecybersupport.com) and call center to offer free credit monitoring and identity theft protections. Not a huge concession for the 55% of Americans who already monitor their credit…

This addendum confirms what was already suspected by many news organizations and security professionals: a massive breach. The filing mentioned that it will likely take several months of continued analysis before enough information is gleaned to identify and notify impacted customers and individuals. This incident and subsequent investigation is estimated to cost up to $1.6 Billion in 2024 alone for UnitedHealth. With the estimated damages and the ‘substantial proportion of people in America’ descriptor, this will likely be one of the largest healthcare sector security breaches ever reported.

One thing missing from the filing was an update or determination whether this incident would have a material impact on UnitedHealth. The company reported over $370 Billion in Revenue in 2023 with over $22 Billion in profits. The projected cost would be around 7% of last years profits. Losing 7% of annual profits from one incident feels pretty material to me…

Thanks for reading,
Matt