Fresh off being featured in Beyond The Firewall for the Medicare breach disclosure, I went looking for a new breach to analyze. I can’t say I’m surprised, but once again we find ourselves in the healthcare industry. And once again it is a subsidiary of UnitedHealth Group (UHG) that has fallen victim to a cybersecurity incident that exposed the personally identifiable information (PII) of millions of customers.

In 2024, another UHG subsidiary was breached in a much more high-profile incident that received far more media attention. More on that later.

The Disclosure: Timing and Gaps

The disclosure itself offers little to analyze beyond the timeline and the notification process.

“On February 6, 2025, we found unusual activity in our computer systems. We quickly took steps to stop the activity. We began investigating right away and hired a special team to help us. We also called law enforcement. We turned off our computer systems to help protect our customers and their patients and members. We learned that a criminal was able to see and take copies of some data in our computer systems. This happened between January 27, 2025 and February 6, 2025. To date, we are not aware of any misuse of the data.

What Information Was Involved: On April 23, 2025, we began informing customers about what specific data may have been involved. The data that may have been seen and taken was not the same for everyone and includes contact information (such as name, address, phone number, and email), plus one or more of the following:

• Health insurance data (such as health plans or policies, insurance companies, member or group ID numbers, and Medicaid, Medicare, or government payor ID numbers)
• Health data (such as medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment)
• Other personal data such as date of birth”

On February 6, UHG claims it identified and contained the breach. Over two months later, in April, it began informing affected customers. Yet it was not until this past week, nearly six months later, that the company made the breach public by filing disclosures with the states of Vermont and California. Further research suggests that other states may have received notifications as well.

Why No SEC Filing This Time?

During the 2024 breach, UHG filed an 8-K with the SEC. This time, however, they only notified individual states. Why did they consider the 2024 breach significant enough to report to the SEC but not this 2025 incident, which involved data loss affecting 5.4 million patients?

The only plausible answer is that they did not believe it was “material.”

The SEC requires an 8-K filing for material cybersecurity events. To be fair to UHG, the rules around cybersecurity disclosures on Form 8-K are still new and vague. Some have even argued that these requirements should be eliminated or culled. Notably, UHG even tried to walk back the materiality of the 2024 breach, despite the fact that it disrupted insurance payments and operations for weeks.

What Does “Material” Really Mean?

At its core, materiality means that investors need to know about an event because it impacts the company’s bottom line.

In the 2024 incident, UHG experienced widespread disruption. Systems were down and insurance payments were not being processed. That clearly affected operations and investor confidence.

But the 2025 incident? They “only” lost the personal information of 5.4 million patients.

No big deal, right?

We Still Have a Long Way to Go. How Do We Fix Disclosures?

Cybersecurity disclosures remain inadequate, not just in healthcare but across all industries. Accountability and transparency are still sorely lacking.

Only requiring disclosures when an incident threatens the stock price is not the right approach. For starters, only publicly traded companies fall under these disclosure requirements. Private companies are only required to notify states in the way UHG did for this breach. Don’t even get me started on small business and independent contractors. Many of whom possess very sensitive data. I’m looking at you attorneys and real estate agents.

I am not calling for heavy-handed regulation, and I respect the privacy of businesses. Disclosing every single incident across the board is neither reasonable nor feasible.

The Question Is: Do You Really Care?

Looking back, the uproar from the 2024 UHG incident was not because personal information was lost. It was because insurance payments were not being made. Yet we know that data for more than 100 million users was stolen.

If it had only been data for 100 million users, would it even have made the news outside of cybersecurity circles? Probably not.

That tells me that as a whole we have become numb to our personal data being stolen.

It does not have to be this way. But it will continue if we do not demand more accountability when handing over our data.