# Opener

UnitedHealth Group: Unable or Unwilling to Disclose Materiality of Cyber Attack?

Published by Joe Breen

Following an attack targeting UnitedHealth Group’s digital claims processing, many Americans are facing an incredibly tough decision: Pay full price for prescriptions or go without them. The cyberattack has taken many of UHG’s systems offline, which has wreaked havoc nationwide. Coverage is being rejected as a result, and if insurance companies are not paying out, patients and hospitals are both in trouble. The cost of medical care in the US is so high, that the system crumbles without the ability to bill. Small practices and rural hospitals don’t have the luxury of large cash reserves, so weeks without billing can put them in a tough spot.

UHG announced in their Initial 8-K on February 22nd that a suspected nation-state actor had accessed information relating to their Change Healthcare subsidiary of the company. As expected, they claimed to have swiftly isolated the threat and said they were unable to determine materiality. An amended 8-k was then filed on March 8th, which stated they had seen interruptions, but closed out by saying:

“As of the date of this Amendment, the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

As discussed in each blog from this series, materiality boils down to a piece of information’s relevance to investors. Is the event likely to impact the financial or operational performance of the company? For some context into the event, let’s list a few significant facts that have surfaced since day one:

  • Change Healthcare processes 14 billion transactions annually, which would mean an estimated 843 million transactions have occurred through Change Healthcare since the event initially occurred
  • An announcement from Alphv, which was taken down, claimed they had stolen 6 terabytes worth of patient records
  • 6 separate class-action lawsuits have mounted, with more expected to come.
  • Blockchain transactions imply UHG may have paid the $22 million ransom

Before I go any further, I’d like to say that any of the points made about materiality are purely opinions. The SEC’s rules are very new, and the concept of assessing the material impacts of cyber events is unprecedented. Based on what we’ve seen so far, I don’t even think the SEC fully knows what these rules are going to look like in terms of enforcement.

To say it is confusing would be an understatement regarding UHG’s claim they have not yet assessed the event to even likely have a material impact. I wouldn’t think much if they were vague in claiming material impacts will follow, but to say they haven’t assessed it to likely be material leaves the impression of deliberate ambiguity.

This is one of those events that is going to put the ability to assess the material impacts of qualitative events to the test. After reading through UnitedHealth Group’s most recent financial statements, it would be quite difficult for this event to meet a material financial threshold. Two numbers I pulled from the 2023 annual report are the company’s cash on hand, as well as their net earnings:

$23.1 billion in net earnings

$25.4 billion in cash & cash equivalents (highly liquid assets)

In testing materiality claims, auditors will often use what is referred to as the 5/10% rule. For context, it is used as a basic rule of thumb by auditors to assess materiality. It is a calculation that takes the cost or transaction in question against the company’s net earnings. 0-5% is not material, 5-10% requires further digging, and over 10% is material. This is not an endorsed method from the SEC, rather, it is just a rule of thumb to help.

For UHG, the claim that an event is not material could be defended if looking only through a quantitative lens. In the case of this event, with net earnings of $23.1 billion, an event would have to be $1.27 billion to possibly be material. Through a purely quantitative lens, they might be able to back their claim up…

But, this is where the biggest question around materiality is going to be addressed: How much will the SEC require qualitative analysis to be included as well? This event might not hit a financial threshold, but it is still very important to note what this looks like in terms of damage to individuals, businesses, the healthcare industry, and their reputation long term.

Change Healthcare was acquired by UHG in October of 2022 and has brought great earnings growth to the company since. The unwillingness to announce a material impact very well could be an attempt to continue protecting their star performer. The company has only seen a 5% drop in stock price since the event, but that could very well change if they announce the event as having a material impact.

The facts seem to be there to back the event’s material impact, but they are still dancing around claiming it is or is not material. Could this be that they are avoiding making a claim? Or, are they unable to assess during the chaos of the incident response period? Running proactive CRQ can give you a clear picture of what the impacts of an event might be before it even happens. If you want to save yourself a future headache, click here to get more information about how we can help.

https://www.linkedin.com/feed/update/urn:li:share:7175959009915473920

Webinar Axio360 For SEC Cyber Compliance Product Launch

https://www.npr.org/sections/health-shots/2024/03/09/1237038928/health-industry-ransomware-cyberattack-change-healthcare-optum-uhc-united

https://www.unitedhealthgroup.com/content/dam/UHG/PDF/investors/2023/UNH-Q4-2023-Release.pdf