The recent cyberattack on UnitedHealth Group’s subsidiary Change Healthcare has brought about a slew of governance questions and concerns as the company prepares for Congressional hearings. This attack, which occurred in February, targeted the data clearinghouse that serves a significant portion of U.S. medical providers, affecting over 131 million patients and nearly 67,000 pharmacies. The American Hospital Association has labeled this cyberattack as the most serious incident of its kind against a U.S. healthcare organization, with 94% of hospitals experiencing adverse financial impacts as a result of the breach.
The financial toll on UnitedHealth from the cyberattack has been staggering, with an estimated cost of $870 million in the first quarter of 2024. CFO John Rex believes the full year costs could reach up to $1.6 billion, but independent estimates from Safe Security suggest that the actual financial impact could be much higher. The FAIR Materiality Assessment Model used by Safe Security highlights the hidden costs that may not have been accounted for in UnitedHealth’s initial disclosures, raising concerns about the accuracy of their financial assessments.
Safe Security’s research has identified potential liabilities that were not included in UnitedHealth’s disclosures, such as customer support costs, class action settlements, business interruption liabilities, fines for HIPAA violations, state fines, medical malpractice lawsuits, federal fines and penalties, and more. These hidden costs could significantly impact UnitedHealth’s financial outlook and highlight the need for a comprehensive understanding of cyber risk and its potential consequences.
The fallout from the cyberattack may also impact UnitedHealth’s ongoing operations, including potential divestitures mandated by the Department of Justice and increased regulatory scrutiny from the Securities and Exchange Commission. The company’s response to the breach and their ability to address the hidden costs and liabilities will be closely examined by regulators, investors, and the public, as the implications of the attack reverberate throughout the healthcare industry.
Safe Security’s CEO Saket Modi emphasizes the importance of adopting a robust cyber risk management framework to proactively safeguard shareholder value and mitigate potential financial losses. He argues that a comprehensive methodology for measuring risk exposure is crucial for boards and c-suites to understand the impact of cyber risk on their business and make informed decisions about risk mitigation strategies. The UnitedHealth cyberattack serves as a stark reminder of the need for companies to take cybersecurity seriously and invest in measures to protect against potential breaches.
As UnitedHealth’s executives face mounting questions and challenges in the aftermath of the cyberattack, the true extent of the breach’s impact will become clearer. The company’s response to the attack, the accuracy of their financial disclosures, and their ability to address the hidden costs and liabilities will ultimately determine how they navigate the fallout from the breach. The incident serves as a cautionary tale for corporate leaders about the importance of understanding and managing cyber risk to protect shareholder value and ensure the long-term sustainability of their business.
