UNH · CIK 731766
What UnitedHealth Group Incorporated told the SEC could break it.
UnitedHealth's flagged risks are the systemic ones of a healthcare and insurance giant. Its businesses operate under comprehensive and discretionary U.S. federal, state and international regulation — HIPAA, anti-kickback and false-claims laws, DEA/FDA and pharmacy-board oversight of Optum Rx, even Utah banking rules for Optum Bank — where agencies can issue and enforce rules that materially affect operations. Because it processes, stores and transmits vast amounts of protected personal and health information, it is regularly targeted by cyberattacks and has been subject to IT-system compromises; and through its risk-based products, where it assumes members' medical costs for fixed premiums, its profitability hinges on predicting, pricing and managing those medical costs.
3 self-disclosed vulnerabilities, pulled from its own filings — each in the company’s words, with the source. This is the risk register almost nobody reads.
In its own words
What could break it.
Regulatory & policy
- comprehensive U.S. federal/state and international healthcare regulationhigh
UnitedHealth's businesses are subject to comprehensive and discretionary U.S. federal, state and international laws and regulations (HIPAA, anti-kickback, false claims, DEA/FDA/Boards of Pharmacy for Optum Rx, Utah banking regulation for Optum Bank), where agencies can issue and enforce rules that materially affect operations.
“Our businesses are subject to comprehensive U.S. federal and state and international laws and regulations. We are regulated by government agencies, which generally have discretion to issue regulations and interpret and enforce laws and regulations.”
SEC filing →As of 2026
Cybersecurity
- frequent cyberattacks on systems holding protected personal/health informationmedium
UnitedHealth processes, stores and transmits large volumes of protected personal information (some outside the U.S.) and is regularly the target of attempted cyberattacks, having previously been and potentially in future subject to IT-system compromises.
“We are regularly the target of attempted cyberattacks and other security threats and have previously been, and may in the future be, subject to compromises of the information technology syst”
SEC filing →As of 2026
Other disclosures
- medical-cost prediction and pricing risk on risk-based benefit productslow
Through its risk-based benefit products, UnitedHealth assumes the risk of members' medical and administrative costs for fixed monthly premiums; profitability depends heavily on its ability to predict, price for and manage medical costs.
“Through our risk-based benefit products, we assume the risk of both medical and administrative costs for our customers in return for monthly premiums. The profitability of our products depends in large part on our ability to predict and effectively price for and manage medical costs.”
SEC filing →As of 2026
The hidden graph
Who it depends on, and who depends on it.
Relationships surfaced from filings — including ones disclosed by the other side, which is how the non-obvious ones come to light.
Its suppliers
“Caremark 44 % 39 % Accredo 37 % 41 % Optum 19 % 20 %”
Cited →“For the twelve months ended December 31, 2025, 2024, and 2023, the primary health plan partners that we served were United, Humana, Elevance, Aetna and Centene.”
Cited →“For the year ended June 30, 2025, three insurance carrier customers accounted for 37 % (UHC), 15 % (Aetna), and 11 % (Humana) of total revenue.”
Cited →“Carriers representing 10% or more of our total revenue are summarized as follows. The majority of the revenue was from the Medicare segment. Year Ended December 31, 2025 2024 Humana 35 % 24 % UnitedHealthcare (1) 23 % 22 % Aetna (1) 5 % 18 %”
Cited →“Two payors individually exceeded 10% of our total revenue for the year ended December 31, 2025: UnitedHealthcare and Elevance Health, Inc., comprising 14% and 15% of our total revenue, respectively.”
Cited →
In the MyPRIA app, this is checked against the companies you actually own.
← World Watch