Ramstad: Hacking episode shows UnitedHealth has become too big to fail

UnitedHealth’s size and multiple roles in health care made hospitals and clinics across the country vulnerable to a cyber criminal.

The Minnesota Star Tribune
March 15, 2024 at 10:02AM
GLEN STUBBE * gstubbe@startribune.com Thursday, October 4, 2007 -- Minnetonka, Minn. -- UnitedHealth Group Headquarters in Minnetonka, Minn.
UnitedHealth Group's business model of expanding into so many aspects of health care is being tested by government antitrust officials and public views that health care is a right. File photo of the company's Minnetonka headquarters. (Glen Stubbe/The Minnesota Star Tribune)

Every developed country provides health insurance except the United States. We’ve left that to the free market and it has produced UnitedHealth Group, which has leveraged its position as the nation’s largest health insurer to create or buy businesses in almost every part of the health care system.

In the last three weeks, we’ve seen how the Minnetonka-based company’s immense size made it and thousands of companies that do business with it vulnerable to cyber criminals. It’s a moment that exposes the tension between UnitedHealth’s pursuit of efficiency and the country’s need for a resilient health care system.

Investors care about efficiency, and UnitedHealth’s 400,000 employees deliver. The company’s nearly $500 billion market capitalization — or, its value — is five times greater than a decade ago. Yet like the biggest banks and utilities, UnitedHealth has also become too big to fail, or more precisely too big for America to accept failure from it.

By examining that tension and raising questions about UnitedHealth, I don’t want to in any way diminish the criminality of the hackers, a group called ALPHV/Blackcat that seeks ransom payments.

For more than two years, the group has terrorized and blackmailed dozens of companies in Europe and the U.S., including MGM Entertainment, Reddit and the fashion house Moncler. The State Department is offering a $10 million reward for information about its leaders.

On Feb. 21, the group brought down the key systems at Change Healthcare, a company that UnitedHealth purchased in 2022. Change is a middleman in health care, the largest operator of an electronic crossroads between providers like doctors and payers like insurers.

The company also reviews claims on behalf of providers, helping them verify a patient’s coverage. And it helps hospitals and clinics keep track of services so the right doctors, therapists and other care providers are paid for them.

All of those services were disrupted by the Blackcat attack. UnitedHealth scrambled to stand up new systems to take on the transactions Change normally processed.

As days turned to weeks, the effect spiraled far beyond Change and UnitedHealth and resulted in huge disruptions of cash flow throughout the health care industry. Clinics that rely on payments from insurers weren’t getting the money, leading them to reduce or suspend paychecks to doctors or therapists. Pharmacies stopped filling prescriptions or asked for out-of-pocket payments because they couldn’t be reimbursed by insurers.

“This is like the Visa network going down,” said Ben Jolley, a senior fellow at the American Economic Liberties Project, an antitrust activist group in Washington. “The difference here is there is no alternative method for a lot of these practitioners. There’s no MasterCard to switch to, or it’s not as easy as just swiping the MasterCard instead of the Visa.”

He added that a government data standard to transact claims “basically requires medical practices to choose one clearinghouse.” Since the cyberattack, his organization and others also urged a review of federal health transaction compliance requirements.

UnitedHealth late Wednesday announced Change’s pharmacy network was back online. It aims to bring up the claims system in phases starting Monday.

The American Hospital Association last week called Blackcat’s takedown of Change’s systems the “most significant and consequential incident of its kind against the U.S. health care system in history” and called for a “whole of government” response.

This week, UnitedHealth CEO Andrew Witty went to Washington to meet senior Biden administration officials to discuss its response. On Wednesday, the Department of Health and Human Services said it would investigate the breach and signaled UnitedHealth and Change are in the bull’s-eye.

Two weeks earlier, reports surfaced that the Justice Department had initiated an antitrust investigation into UnitedHealth. Critics like Jolley want the government to break apart companies like UnitedHealth and CVS that provide both insurance and health care services.

To close its purchase of Change, UnitedHealth had to withstand one of the more vigorous antitrust challenges mounted during the Biden presidency. The company sold one of Change’s businesses to satisfy the government’s claim that the purchase was anticompetitive. It won a fight in federal court on the government’s criticism that UnitedHealth’s Optum subsidiary would gain access from Change to the data of competitors of UnitedHealth’s insurance business.

Thirty years ago, UnitedHealth was already in the pantheon of large Minnesota companies and, at around $5 billion in annual revenue, was the same size as General Mills and Best Buy. 3M, Target and Cargill were larger.

Today, UnitedHealth dwarfs them all. Its $371 billion revenue last year made it nearly 20 times bigger than General Mills and 10 times Best Buy. Nationally, only Walmart, Amazon, Berkshire Hathaway and Apple are larger by revenue.

Those four companies have also faced government scrutiny as they grew larger. UnitedHealth, however, is on a different plane. Its work is in health care, which many people regard as a fundamental right and which so many other countries deliver via the public sector with better outcomes and lower costs.

UnitedHealth’s business model is like a rubber band that’s being stretched wider and wider.

about the writer

about the writer

Evan Ramstad

Columnist

Evan Ramstad is a Star Tribune business columnist.

See More