When Monopoly Met Malware: How UnitedHealth’s Dominance Led to a Catastrophic Cyber Attack — Mihika Jain

by | Jun 4, 2025 | Academic year 2024/2025 | 0 comments

You don’t have to be an expert on the American healthcare system to know the name UnitedHealth Group (UHG). The company controls 15% of the American insurance market – and is the largest private insurer in the country – has become primetime news after the murder of its erstwhile CEO, its financial woes, and most recently, a possible investigation for Medicare fraud. Given these developments, it is important to recognize that United, and its dominance over the American healthcare system, stretches far beyond insurance – a fact that came into jarring focus back in February 2024, when United subsidiary Change Healthcare became the target of a cyberattack.

Change Healthcare is a clearinghouse, i.e. a middleman between providers and payers that helps expedite claims processing between the two. Many states’ entire Medicaid systems rely on Change, which processes over 50% of all medical claims in the country. For context, that equals a whopping 15 billion claims. By any definition, Change Healthcare is a dominant player, if not a monopolist. UHG acquired Change in 2021 for $13 billion, a deal that the Department of Justice (DOJ) tried, and unfortunately failed, to block. The DOJ brought up both vertical and horizontal integration concerns, arguing that the merger would combine two claims-editing businesses to give UHG a near-monopoly in the claims clearinghouse space. Their case was shot down, but ironically, this concern resurfaced in the wake of the breach and, unfortunately, continues to be salient more than a year later.

While worries about healthcare consolidation, particularly in relation to UnitedHealth, are not new or in short supply, Change Healthcare is a unique case study of UHG’s unchecked market power since the business is more upstream and not directly responsible for administering care to patients.

Unfortunately, that upstream status did not stymie the impact of the breach. The hackers exfiltrated six terabytes of data; as a result, the medical records and data of 190 million Americans were exposed. More importantly, thousands of small medical practices, providers, and payers that relied on Change were left crippled, nonoperational, and, as a result, unable to meet payroll. Many of these organizations had not realized the degree of their dependence on Change, as noted by Karen Habercross, the Chief Privacy Officer at UChicago Medicine. “We did a risk assessment on Change Healthcare and we still didn’t realize how exposed we were to them.” This dependence was deliberate and another feature of the Change business model. Aside from being one of the few players in the consolidated clearinghouse market, the company also had exclusivity contracts in place with about a third of its clients which meant that other clearinghouses were prevented from connecting to the payers that only accepted claims through Change. Thus, many payers had no backup payments systems once Change went down, which meant providers had no cash flow either.

In other words, the post-merger Change Healthcare was the perfect, centralized target for malicious actors looking to disrupt the breath of the American healthcare system. They successfully exploited the singular, monopolistic lynchpin that held the fabric together.

Of course, health systems have learnt from this disaster. Many medical practices have begun to diversify vendors and sign deals with multiple service providers in the wake of the attack. Change has implemented better cybersecurity practices.

So, now that things are relatively stable and vendors are more cognizant of derisking away from too-big-to-fail platforms, some might ask: do we need to worry as much about the harms of consolidation in this back-end, admin-heavy space? Regrettably, Change and UHG’s recent actions would suggest that the answer is yes. Case in point: their aggressive push to recover loans to affected providers. In the wake of the attack, United lent out no-interest loans to cash-strapped providers to help tide them over until normal operations were restored. Understandably, it has taken many providers, particularly small physician practices, longer than expected to get back on their feet and meet the filing deadlines imposed by UHG. In response, the company has now started to disperse letters asking for full repayment or “risk reimbursement for claims being withheld,” a threat that has actualized for some practices already. In a way, the ability to issue this ultimatum is also a function of Change Healthcare’s scale: even though providers’ financial troubles are a direct consequence of the breach, their reliance on the platform allows Change to employ aggressive repayment tactics, and backtrack on its own promise that providers would not have to pay until they felt they were financially stable.

Despite the continued harms caused by this breach, I recognize that it is unlikely that there will be a move to reverse the Change-UHG merger, rein in its effects, particularly given the antitrust attitude of the new FTC. Rather, the learning from this incident – that the scope and magnitude of the cyber-attack was heightened because of Change’s monopolistic position – should encourage us to take a wider view of healthcare consolidation and its ill-effects in the future. The existence of hyper-scaled entities like UHG in critical industries like healthcare not only lends itself to anticompetitive behavior by the platforms themselves but also creates incentives – and pathways – for malicious actors, who can attack a single, centralized point of failure and bring the whole system down, like a pack of dominoes. Except in this case, the cascade is punctuated by delays in urgent cancer care, unfulfilled prescriptions, and human suffering.