UnitedHealth Group (UNH)

If we fail to comply with restrictions on patient privacy and information security, including taking steps to ensure that our business associates who obtain access to sensitive patient information maintain its confidentiality, our reputation and business operations could be materially adversely affected.

The collection, maintenance, use, disclosure and disposal of individually identifiable data by our businesses are regulated at the international, federal and state levels. These laws and rules are subject to change by legislation or administrative or judicial interpretation. Various state laws address the use and disclosure of individually identifiable health data to the extent they are more restrictive than those contained in the privacy and security provisions in the federal GLBA and in HIPAA. HIPAA also requires that we impose privacy and security requirements on our business associates (as such term is defined in the HIPAA regulations). See Item 1, “Business – Government Regulation” for a discussion of various federal and state privacy laws and regulations governing our businesses.

Even though we provide for appropriate protections through our contracts with our business associates, we still have limited control over their actions and practices. Privacy and security requirements regarding personally identifiable information are also imposed on us through controls with our customers. In addition, despite the security measures we have in place to ensure compliance with applicable laws and rules, our facilities and systems, and those of our third party service providers may be vulnerable to security breaches, acts of vandalism or theft, computer viruses, misplaced or lost data, programming and/or human errors or other similar events. Congress and many states are considering new privacy and security requirements that would apply to our business. Compliance with new privacy and security laws, requirements, and new regulations may result in cost increases due to necessary systems changes, new limitations or constraints on our business models, the development of new administrative processes, and the effects of potential noncompliance by our business associates. They also may impose further restrictions on our collection, disclosure and use of patient identifiable data that are housed in one or more of our administrative databases. Noncompliance with any privacy laws or any security breach involving the misappropriation, loss or other unauthorized disclosure of sensitive or confidential member information, whether by us or by one of our vendors, could have a material adverse effect on our business, reputation and results of operations, including: material fines and penalties; compensatory, special, punitive, and statutory damages; consent orders regarding our privacy and security practices; adverse actions against our licenses to do business; and injunctive relief.

21

Table of Contents

If we fail to comply with restrictions on patient privacy and information security, including taking steps to ensure that our business associates who obtain access to sensitive patient information maintain its confidentiality, our reputation and business operations could be materially adversely affected.

The use of individually identifiable data by our businesses is regulated at the international, federal and state levels. These laws and rules are subject to change by legislation or administrative interpretation. Various state laws address the use and disclosure of individually identifiable health data to the extent they are more restrictive than those contained in the privacy and security provisions in the federal Gramm-Leach-Bliley Act and in Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). HIPAA also requires that we impose privacy and security requirements on our business associates (as such term is defined in the HIPAA regulations). Even though we provide for appropriate protections through our contracts with our business associates, we still have limited control over their actions and practices. In addition, despite the security measures we have in place to ensure compliance with applicable laws and rules, our facilities and systems, and those of our third party service providers, may be vulnerable to security breaches, acts of vandalism, computer viruses, misplaced or lost data, programming and/or human errors or other similar events. Compliance with any privacy proposals, requirements, and new regulations may result in cost increases due to necessary systems changes, the development of new administrative processes, and the effects of potential noncompliance by our business associates. They also may impose further restrictions on our use of patient identifiable data that is housed in one or more of our administrative databases. Noncompliance with any privacy laws or any security breach involving the misappropriation, loss or other unauthorized disclosure of sensitive or confidential member information, whether by us or by one of our vendors, could have a material adverse effect on our business, reputation and results of operations.