Historically companies have wanted to avoid a cybersecurity incident, but a new type of integrated business model makes such incidents not simply welcome, but profitable.
You’ve probably always thought of a cybersecurity breach as a bad thing. Someone takes your data, or your customers’ data, or simply shuts down your operations. That’s bad, right? It is if you’re in the business of making money by selling a product or service of value. But take off your ethical blinders for a moment and I’m going to introduce you to a whole new class of business strategy.
In The Art of War, Sun Tzu, wrote, “When your army has crossed the border, you should burn your boats and bridges, in order to make it clear to everybody that you have no hankering after home.” In other words, removing options can be a motivating factor for the outcome you want. This is a common technique in negotiations, too; by restricting options other outcomes become more likely. A company may do this, for example, by putting out a press release that they will not consider certain options. Even if it’s legally feasible, the PR has now taken it off the table as a viable option.
In negotiations, we often talk about strengthening your own position. You may create more options than the one you’re currently negotiating so you can walk away if you don’t like the terms at the table. Alternatively, you can weaken your negotiation partner’s position. [Note: I prefer to use the term “negotiation partner” to refer to the counterparty in the negotiation.] The equivalent here is to remove their other options. Again, this can be done through PR (e.g., criticizing a potential alternative deal), or by contractual limitations (e.g., striking your own deal with another company they may be courting and putting in that deal a limitation of that company to engage with your negotiation partner).
What has this got to do with a cyber breach? Let’s step through the looking glass.
You may have heard about the cybersecurity attack on Change Health, part of Optum, Inc. which is owned by UnitedHealth Group (UnitedHealth Group is #10 in the F500 rankings at the time of this writing). The breach happened on February 22nd, 2024. As of the time of this writing of this article (24 days later, on March 17th, 2024) the impact is ongoing. Best case is that their announcement was correct and payments were coming back on line on Friday, March 15th, 2024. I say best case because the article notes, “According to Change Healthcare, work to restore the medical claims network will begin on March 18. However, there is no anticipated date for when systems will be fully restored and functional.”
In other words, payments have been delayed for many weeks and may be delayed for more weeks yet. If you’ve run a small business, and many medical practices and local pharmacies are small businesses, then you know cash flow is key. If vendors stop paying you, you’re in trouble. While many individuals may float their household expenses for a month on credit cards, you can’t do that with a business. The three biggest expenses—rent, payroll, and insurance—typically cannot be paid by credit card. Even if they could, they would likely exceed the credit limit of the card. This is why Biden has pressed UnitedHealth Group to get funds flowing to their clients ASAP.
But what happens if (or rather now that) funds have not been flowing. Their customers, medical practices and pharmacies, run out of cash. They can’t operate. They may lose customers because they can’t provide services, or even go into bankruptcy. Faced with a declining business or bankruptcy, selling the business may seem like the best option, even if it’s a bit of a fire sale.
But who would buy such a business? It would have to be someone with deep pockets to ride out the cash flow issue, someone looking at a long-term consolidation play in medical services.
Coincidentally, UnitedHealth Group employs just that strategy. You can see prior acquisitions here and here. In fact, UnitedHealth Group owns 1 in 10 doctors in the US. And now, thanks to the financial constraints many medical practices are facing, they’re able to pick up yet more practices, in effect taking advantage of the situation they created. (Hat tip to @drglaucomflecken whose Tik Tok video first alerted me to this after a friend recommended it. [Side note: I’m not linking to his account or video since I oppose the use of Tik Tok, but that’s a whole different discussion.])
Now you may be thinking, “But legally, can I ask someone to hack me to gain such an advantage?” I’m not a lawyer, but I suspect the answer is no. But the good news is that without ethics holding you back, there are other ways to gain a similar advantage. Consider the practice of denying medical claims. Because we privatized some of Medicare in 2003 seniors are being denied critical medical care. You might be thinking, “Sure, people may die, but how will this make me money?” By denying these claims from hospitals, particularly rural ones, patients get hurt and medical facilities reduce services or shut down altogether (but the insurance company still gets the premiums). The result is more people die, worse healthcare, and healthcare workers lose jobs. But more profit, so if you're an investor in these companies, yay!
A cybersecurity attack is one way. But really, anytime you can harm your business customers (e.g., denying payments) you can gain an advantage on them. Putting them in financial distress or limiting their options in other ways gives you the upper hand which you can exploit. If people get hurt along the way, well, just consider that upside in your ethics-free calculations.
Optum, Inc. has already been under DOJ antitrust scrutiny. Hopefully these recent actions will fall into scope as well. Unfortunately, in our complex, intertwined world, harm becomes a viable business strategy. It may be proactive harm, like denying claims, or passive harm, like delaying payments, or not restoring service as fast as you should.
The solution is to put up guardrails preventing this. Guardrails, however, are another term for rules and regulations. Inevitably the executives will whine, as they always do, about how there’s too much regulation. But all regulations are there because someone, at some point, crossed a line we thought shouldn’t be crossed. Today that line is buying up distressed practices caused by the Change Health cyberattack and similar types of moral hazard. Tomorrow, they’ll find a new line to cross. Let’s hope someone catches that behavior, too.
It’s critical to learn about corporate culture before you accept a job offer but it can be awkward to raise such questions. Learn what to ask and how to ask it to avoid landing yourself in a bad situation.
Investing just a few hours per year will help you focus and advance in your career.
Groups with a high barrier to entry and high trust are often the most valuable groups to join.