Please wait
9900 Bren Road East
Minnetonka, MN 55343
June 14, 2024
Via EDGAR Submission and Overnight Delivery
U.S. Securities and Exchange
Commission
Division of Corporation Finance
100 F. Street, N.E.
Washington, D.C. 20549
Attn: Aliya Ishmukhamedova
Suzanne Hayes
Re: UnitedHealth Group Incorporated
Form 8-K filed February 22, 2024
Amendment No. 1 to Form 8-K filed March 08, 2024
Amendment No. 2 to Form 8-K filed April 24, 2024
File No. 001-10864
Dear Ms. Ishmukhamedova and Ms. Hayes:
UnitedHealth Group Incorporated (the “Company”) is responding to the comment of the staff of the Division of Corporation Finance (the “Staff”) of the Securities and Exchange Commission (the “Commission”) as set forth in the Staff’s letter dated June 4, 2024 relating to the above-referenced filings (collectively, the “Form 8-K”) in which the Company has reported matters relating to the cyberattack described therein (the “incident”).
For ease of reference, we have duplicated the Staff’s comment in italics directly above the Company’s response.
Form 8-K filed February 22, 2024. Amendment No. 1 to Form 8-K filed March 08, 2024, Amendment No. 2 to Form 8-K filed April 24, 2024
Item 1.05 Material Cybersecurity Incidents, page 1
1.Please tell us what consideration you gave to filing an amended Form 8-K pursuant to Instruction 2 to provide information about the impact on your business operations, similar to those described on the “Information on the Change Healthcare Cyber Response” webpage. For example, your 8-K does not indicate that some pharmacies have been unable to submit claims, and that providers have not been able to submit claims or receive payment, but that information is described on the website. Please refer to Rule 105 of Regulation S-T regarding the use of hyperlinks. Additionally, we note news reports indicating that pharmacies have been unable to verify insurance status, and as a result customers have had to pay cash or have been unable to obtain prescriptions. When
you file amended Forms 8-K pursuant to Instruction 2 to Item 1.05 of Form 8-K, please expand your disclosure to address the following items:
•expand your discussion to describe the scope of your business operations impacted; and
•describe the known material impact(s) the incident has had and the material impact(s) that are likely to continue.
In considering material impacts, please describe all material impacts. For example, consider customer/partner relationships and potential reputational harm related to the outage of your system, as well as any impact to your financial condition or results of operations. To the extent you become aware of additional reasonably likely material impacts, please confirm you will file an amended Form 8-K to update your disclosure.
Response:
The Company respectfully acknowledges the Staff’s comment. For the reasons described below, the Company does not believe that an additional amendment to the Form 8-K is appropriate at this time.
The Company confirms to the Staff that it has carefully considered the amendment requirements of Instruction 2 as the Company continues its investigation of the incident and its assessment of whether the incident is reasonably likely to have a material impact on the Company, including its financial condition and results of operations. In its materiality assessment, as directed by the Commission in Release No. 33-11216, the Company is considering qualitative factors alongside quantitative factors, including those factors identified in the Staff’s comment. To date the Company has not concluded the cyber incident to be material or reasonably likely to be material. Therefore, the Company’s Form 8-K disclosures have focused on matters deemed to be most significant.
In its comment, the Staff refers to the Company’s consideration of whether to provide disclosure concerning the incident’s impacts on the Company’s business operations, including particularly its pharmacy services, similar to the information provided on the Company’s webpage. In evaluating the application of Instruction 2 to disclosure via an amendment, the Company considered both the information about the impacts it has already disclosed in the Form 8-K and the nature of its communications on the Company’s webpage.
In its two Form 8-K amendments, the Company has provided extensive information describing operational impacts of the incident on key systems affected by the cyberattack. The systems discussed in the amendments include—in addition to medical claims and payment systems—systems relating to pharmacy services. The Company’s filed disclosures specifically discuss matters relating to the incident’s impacts on the functioning of claims submission and payment transmission in the Company’s pharmacy services, as well as the progress of the Company’s efforts to restore the pre-incident functionality of those systems.
The Company also considered the nature of the communications on its webpage in determining that Instruction 2 does not warrant further amending the Form 8-K at this time to disclose additional information about operational impacts similar to those described on the webpage. The Company has been guided in its consideration by the Commission’s statement in Release No. 33‑11216 that a registrant’s communications with customers, business partners and other persons affected by a cybersecurity incident, such as the communications on the Company’s webpage, may be required or appropriate because of the registrant’s contractual commitments or the
mandates of other applicable legal regimes, and that those communications do not necessarily represent a determination by the registrant that the impacts are material for purposes of the federal securities laws.
The Company respectfully confirms to the Staff that it will amend the Form 8-K to update its disclosure in accordance with Instruction 2 if it becomes aware of reasonably likely material impacts required to be reported under Item 1.05.
The undersigned is available to discuss the Staff’s comment and the Company’s response, as needed.
| | | | | | | | | | | | | | |
| | | Sincerely, | |
| | | | |
| | | By: | /s/ Kuai H. Leong |
| | | | |
| | | | Kuai H. Leong |
| | | | Senior Deputy General Counsel and Deputy Corporate Secretary |
cc: Thomas Roos, Senior Vice President and Chief Accounting Officer, UnitedHealth Group
Christopher Zaetta, Executive Vice President, Chief Legal Officer and Corporate Secretary, UnitedHealth Group
Rupert Bondy, Senior Counsel and Executive Vice President, Governance, Compliance and Security, UnitedHealth Group
