The year 2024 will be remembered as one full of unprecedented challenges and turmoil for the nation's largest healthcare company.
From the tragic and targeted killing of UnitedHealthcare CEO Brian Thompson to a crippling cyberattack on subsidiary Change Healthcare, UnitedHealth Group has faced a cascade of crises that affected the entire healthcare industry. These major events, compounded by legal battles and heightened public scrutiny, have exposed systemwide vulnerabilities and sparked a broader reckoning about the role of insurers within healthcare.
"You see so much violence in hospitals and health systems often from people with behavioral health problems," Scott Becker, founder and publisher of Becker's Healthcare, said. "But I have not seen this, and it reminds me of the labor disputes in the early 1900s, where corporate CEOs were targeted by labor in a very aggressive way as those wars between unions and companies got very ugly. It's been a long time since we've seen this type of activism and level of hostility. It's a sad, sad situation."
Adding to the turbulence, the Justice Department is actively investigating the relationship between UnitedHealthcare and Optum, while also suing to block the company's planned $3.3 billion acquisition of home health provider Amedisys. In 2024, UnitedHealth also prevailed against CMS in court over Medicare Advantage star ratings, settled a Labor Department lawsuit alleging improper denial of claims, and agreed to pay $69 million to resolve allegations that it prioritized its relationship with Wells Fargo over its 401(k) plan performance.
Murder of Brian Thompson
The murder of UnitedHealthcare CEO Brian Thompson shocked the healthcare industry and sparked a broader reckoning about the public's perception of health insurers. Mr. Thompson, 50, was fatally shot outside the New York Hilton Midtown on Dec. 4, where UnitedHealth Group was hosting its annual investor conference.
The gunman, identified as Luigi Mangione, carried out what NYPD Commissioner Jessica Tisch described as a "brazen and targeted attack." The words "deny," "defend," and "depose" were found inscribed on shell casings at the scene.
Mr. Thompson had served as CEO of UnitedHealthcare since 2021. In a statement, his family said they were mourning the loss of a "loving father" and "incredibly generous, talented man," while UnitedHealth Group CEO Andrew Witty described Mr. Thompson as a relentless advocate for improving healthcare. In the week that followed, Mr. Witty penned a New York Times op-ed acknowledging public frustrations with the healthcare system and pledging to build a system "that works better for everyone."
The attack reignited public criticism of the health insurance industry, with many individuals online sharing stories of delayed or denied care. Mr. Witty called for greater transparency in coverage decisions, writing, "We know the health system does not work as well as it should, and we understand people's frustrations with it."
Police quickly identified Mr. Mangione as the suspect, apprehending him in Pennsylvania five days after the attack. A manifesto recovered during his arrest revealed disdain for corporate America and the healthcare industry, accusing it of prioritizing profits over patient care. Mr. Mangione has pleaded not guilty to state and federal charges, which include murder in furtherance of terrorism and murder through the use of a firearm.
The killing has also spurred heightened security measures across the healthcare industry. Insurers and health systems canceled conferences, moved events online, and increased protections for executives. An HCA Healthcare sign was vandalized in Nashville with the words "Deny," "Defend," and "Depose," while a Florida woman was arrested after threatening a Blue Cross Blue Shield employee with similar language. AHIP, the trade association for insurers, issued a statement condemning the violence, saying, "Those in positions of leadership must condemn violence without qualification or equivocation."
Change Healthcare cyberattack
The February 2024 ransomware attack on UnitedHealth subsidiary Change Healthcare was described as "the worst cyberattack in healthcare history" by the American Hospital Association.
Change, responsible for processing one-third of all U.S. healthcare transactions, was targeted by the ALPHV (BlackCat) ransomware group. The attackers exploited stolen credentials and a lack of multi-factor authentication to infiltrate the company's systems, exfiltrate data, and deploy ransomware. Mr. Witty admitted during congressional hearings that the system was undergoing upgrades to meet modern cybersecurity standards when the attack occurred. "I want to assure the American public, we will not rest, I will not rest, until we fix this," he said at the time.
The breach left Change Healthcare offline for months, paralyzing claims processing and delaying payments for thousands of providers. Smaller practices were disproportionately affected, with some struggling to pay employees, rent, and medical supply bills.
"For over four months (and counting), these healthcare practices have received little, if any, reimbursement from insurers for patient visits," a July lawsuit filed by 39 providers said.
UnitedHealth sought to mitigate the fallout by distributing more than $9 billion in financial assistance through loans and advance payments. In response to the attack, UnitedHealth paid a $22 million ransom in Bitcoin to the hackers, a decision that drew significant industry criticism.
"This was one of the hardest decisions I’ve ever had to make," Mr. Witty said, adding that the payment was necessary to protect sensitive patient data and restore systems. While the company confirmed that no additional data had been leaked beyond 22 screenshots on the dark web, critics, including lawmakers, questioned the overall response.
"It shouldn't have taken the worst cyberattack ever in the healthcare sector for an agreement to do this bare minimum," Sen. Ron Wyden said in May, referencing the lack of multi-factor authentication.
The attack also reignited concerns over UnitedHealth's 2022 acquisition of Change Healthcare, a $13 billion deal that faced resistance from the Justice Department and the AHA. Critics argued the merger concentrated excessive power under the UnitedHealth umbrella, giving it unparalleled access to healthcare and financial data. About two months after the attack, Mr. Witty told investors that "I think [it’s] important for the country that we own Change Healthcare," emphasizing UnitedHealth's ability to bring the subsidiary back stronger.
The costs of the breach far exceeded early estimates, with UnitedHealth projecting a $2.87 billion financial impact in 2024, up from an initial $1.6 billion. Mr. Witty admitted the company was "over-optimistic" about how quickly normal operations would resume. By July, Change had restored 80% of its systems.
Since the attack, health system CIOs have emphasized the need for diversified clearinghouse connections and stronger vendor risk management.
"From what I’ve read and heard, the downstream catastrophic impacts of the attack were a result of Change being responsible for predominately or all of some healthcare organizations' revenue cycle and/or clearinghouse activities," Aaron Weismann, chief information security officer of Radnor Township, Pa.-based Main Line Health, told Becker's in May.
The long-term impact of the breach continues to unfold. As of late 2024, UnitedHealth had issued breach notifications to the nearly 100 million individuals affected.
"The Change Healthcare cyberattack is a wake-up call, like a defibrillator shock to our cybersecurity heart," Muhammad Siddiqui, CIO of Reid Health, told Becker's.