How Big is Too Big? Reflections on the Recent UnitedHealth Group, Change Healthcare Cyberattack

By Courtney Burke

The Rockefeller Institute’s January 2024 blog and subsequent podcast on the mega-trend to watch in healthcare in 2024 cited UnitedHealth Group’s (UHG) $13 billion acquisition of Change Healthcare as one of the most important recent developments in the healthcare sector. Just a month later, this partnership became one of the most well-known in healthcare when Change Healthcare, and UHG’s subsidiary arm known as Optum, became the victim of a significant cyberattack. What the recent cyberattack has illuminated is how expansive UHG/Optum’s reach has become in the healthcare sector. Understanding the size and scope of entities in healthcare is important to healthcare policy as a whole given the considerable amount of consolidation that has been occurring in the sector.

Our January 2024 blog on mega-trends and two previous blogs on trends in healthcare pointed out that UHG employs nearly 90,000 physicians and has total annual revenues of $324 billion. UHG is made up of two more widely recognized components: their health insurance and health programs arm called United; and Optum, which is primarily known for what they do as a Pharmacy Benefit Manager (PBM), called Optum Rx. Less well-known was the extent of data analytics UHG/Optum provides—some through their company called Optum Insight and additional analytics and processing platform services through their acquisition of Change Healthcare. The acquisition of Change Healthcare expanded UHG/Optum’s ability to provide products and platforms intended to improve efficiency in healthcare. Change Healthcare notes on its website that its products and platforms touch nearly 1 in 3 patients and are responsible for the completion of an estimated 15 billion transactions in healthcare. Said another way, one expert in the field noted that the company “touches nearly every hospital in the US.”

When the cyberattack occurred on February 21, 2024, the reach of Change Healthcare became more visible as hospitals, pharmacies, and medical practices across the country experienced serious problems. These impacts affected the management of pharmacy products, caused significant delays in access to payments for services, heightened security concerns regarding patient data, and delayed processing claims and billing insurance. It has also been reported that the attackers claimed Change Healthcare paid them at least $22 million in cryptocurrency to remediate some of the fallout on health providers and patients from the cyberattack. Cyberattacks are a risk in any industry, but hackers have been targeting healthcare because of the relatively high value of co-opting and holding for ransom people’s personal data.

The fallout from the cyberattack on UHG/Optum is large enough that the American Hospital Association (AHA) and the American Medical Association (AMA) sought intervention from the federal government to address resulting concerns with cash flow. The federal government responded by requiring some entities to expedite claims for electronic data interchange (EDI) enrollments and to accept paper claims from providers. The AHA has stated that they believe more action is needed by the federal government, however, to properly and more fully respond to the cyber incident, such as issuing guidance to all payers on making advanced or interim payments to providers.

… the end goal of policymakers should be to determine whether such consolidation is improving or hampering health outcomes for patients.

Although the healthcare industry and regulators are still in the midst of remediating the situation, this kind of incident leads one to ask how can such an occurrence be prevented in the future. Cyber security is already a high priority in healthcare, but clearly, there is room for more and better protection. In addition to shoring up cyber security, it is also worth understanding how much of the healthcare industry relies on so few entities for critical services, such as filling prescriptions or processing claims, and the added risk from having these different services consolidated within a firm.

This month, the Federal Trade Commission launched an investigation into UnitedHealth Group. Going forward, questions for policymakers include how to create transparency as to who and what is behind critical parts of the healthcare delivery system, such as physician services, pharmacy benefits, or insurance transactions—services exposed in the recent cyberattack on UHG/Optum. Another question for policymakers is whether there has been too much, too little, or an appropriate amount of consolidation in the healthcare sector. Regardless of the answer to these questions, the end goal of policymakers should be to determine whether such consolidation is improving or hampering health outcomes for patients.

As we noted in our blog on the ten healthcare trends to watch in 2023, consolidation and vertical and horizontal integration can have both benefits and drawbacks, and these consolidations clearly are continuing to occur across the health sector with not a lot of evaluation on those potential outcomes. Certain types of market consolidation may be more or less risky, or more or less beneficial than others. The recent Change Healthcare incident should be instructive for policymakers as they assess how to prevent negative impacts from consolidation in the future.


Courtney Burke is senior fellow for health policy at the Rockefeller Institute of Government.