UnitedHealth’s Big Cyber Compliance Mess
UnitedHealth filed its latest quarterly earnings report today, complete with an update on the staggering costs of a ransomware attack the healthcare giant suffered earlier this year — and if anyone needs a fresh example of how cyber attacks can tie your company into compliance knots, pull up a chair.
The attack itself happened in February. Hackers penetrated the defenses of Change Healthcare, a subsidiary that UnitedHealth acquired in 2022, and held the system for ransom. Since Change Healthcare processes billing and insurance claims for a large swath of the healthcare industry, that left pharmacies and hospitals across the United States unable to fill prescriptions, book procedures, and otherwise operate as normal. The attackers also absconded with the personal data of “a substantial portion of people in America,” UnitedHealth executives said in April. At least some of that data subsequently showed up on the dark web.
In other words, this attack was a big mess, one that UnitedHealth has been cleaning up ever since. Now, with its Q2 earnings release posted today, we have a better sense of the cost.
In the second quarter of this year alone, the attack cost UnitedHealth an estimated $853.7 million (that is, $0.92 per share) in lost revenue, emergency IT measures, higher medical care costs, and other expenses. The company expects its total costs to be $2.3 billion to $2.45 billion for all of 2024. (Elsewhere in the release UnitedHealth says second-quarter “unfavorable cyberattack effects” were $1.1 billion.)
To put those numbers in perspective, UnitedHealth reported net earnings of $4.42 billion for the quarter, or $4.54 EPS. If the Change Healthcare attack had never happened, and the subsequent $853.7 million in costs were never incurred, net income would have been $5.27 billion. The attack drove UnitedHealth’s earnings down 16.2 percent.
That’s obviously material. So what is the Securities and Exchange Commission going to do about it?
First, Disclosure Obligations
We can begin with the SEC rule enacted last year requiring companies to disclose “material cybersecurity incidents” within four days of deciding an incident is indeed material.
UnitedHealth is on solid ground here. The company first noticed the attack on Feb. 21, 2024, and filed a disclosure with the SEC the following day. That first disclosure didn’t say much, but the attack was new, and the company did fulfill its duty to warn investors that a potentially big cyber storm was on its way.
Then came an updated disclosure on March 7, which gave a bit more detail on the damage of the attack and the steps UnitedHealth was taking to maintain patient care. Next was the company’s first-quarter earnings report on April 16, which included estimates of higher expenses and lost revenue that UnitedHealth had incurred by that date.
All the above is in step with the SEC’s cyber incident disclosure rules. Specifically, the adopting release says, companies must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
That all tracks with what UnitedHealth has disclosed so far. Plus, the company had an easy time deciding whether the attack was material because the attack so obviously was material. When your cyber incident is national news, with surgery patients unable to have their procedures and pharmacies unable to process prescriptions, that’s material.
So I don’t expect the SEC to fault UnitedHealth on its disclosure obligations for the ransomware attack.
On the other hand, we also have SEC rules about effective internal accounting controls. This is where it gets interesting.
Internal Accounting Controls for Cyber
As we ponder this UnitedHealth incident, we need to remember that the SEC just sanctioned RR Donnelley $2.1 million for poor management of a cyber attack Donnelley suffered in 2021. The agency specifically faulted Donnelley for having poor internal accounting controls, which had allowed attackers to take control of Donnelley IT equipment and copy customer data for sale on the dark web.
Well, if the SEC applied that theory of enforcement against Donnelley, shouldn’t that same theory now be applied against UnitedHealth?
At this point we should discuss exactly how UnitedHealth’s breach happened. Change Healthcare had not implemented multi-factor authentication on a critical computer server, which allowed attackers to use stolen employee credentials to gain access. In other words, UnitedHealth had allowed poor access control on a critical system.
Now go back to the Donnelley enforcement action. The SEC expressly faulted Donnelley for…
failing to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets — its information technology systems and networks, which contained sensitive business and client data — was permitted only with management’s authorization.
How is what happened at UnitedHealth any different? If anything, UnitedHealth’s breach is even worse, because its failure to implement multi-factor authentication — a cybersecurity 101 precaution — led to a huge breach of personal health information.
To be clear, the SEC has not announced any investigation into UnitedHealth’s breach. But if the SEC wants to be consistent in its enforcement of cybersecurity issues, then shouldn’t its response here be to crawl up UnitedHealth’s butt with a microscope? The company suffered a material loss thanks to the absence of an elementary cybersecurity control. How did that happen?
More UnitedHealth Questions
Indeed, in UnitedHealth’s 2023 annual report, filed the very same week that the ransomware attack happened, the company had this to say:
We believe our chief digital and technology officer and chief information security officer have the appropriate knowledge and expertise to effectively manage our cybersecurity program… As of December 31, 2023, the company has not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition, but there can be no assurance that any such risk will not materially affect the company in the future.
OK, that turned out to be wrong. So who was in charge of implementing UnitedHealth’s IT general controls? Who performed due diligence when UnitedHealth was acquiring Change Healthcare in 2022?
UnitedHealth CEO Andrew Witty testified about the attack before Congress at the end of April. He said: “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. But for some reason, which we continue to investigate, this particular server did not have MFA on it.”
So did UnitedHealth perform a flawed assessment of Change Healthcare’s IT risks, and miss the MFA gap? Did UnitedHealth not have a sufficiently strong change management and GRC system to keep necessary IT improvements moving along at a steady clip?
Plus, if the SEC now says that poor access controls are a reflection of poor internal accounting controls (which is exactly what the SEC said in the RR Donnelley enforcement), then how did United Health’s auditor, Deloitte and Touche, give the company a clean opinion on its internal control over financial reporting? Shouldn’t Deloitte get the microscope treatment too?
So many questions. And if you’re a public company that suffers a cyber attack, you’ll need to be ready to answer them.