UnitedHealth Group: 10-K Risk Factor Changes

The collection, maintenance, protection, use, transmission, disclosure and disposal of protected personal information are regulated at the federal, state, international and industry levels and addressed in requirements of our customer contracts. Additionally, legislative and regulatory action in the United States at the federal, state and local levels, as well as internationally, is emerging in the areas of AI and automation. These laws, regulations and requirements are subject to frequent and often unpredictable change. Compliance with new privacy, security, technology and data laws, regulations and requirements may result in increased operating costs, and may constrain or require us to alter our business model or operations. Internationally, many of the jurisdictions in which we operate have established their own data security and privacy legal framework with which we or our customers must comply. We expect there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection, information security, and AI/ML and automation in the European Union, UK, Chile, India and other jurisdictions, which may have negative impacts on our businesses or the businesses of our customers. HIPAA requires business associates as well as covered entities to comply with specified privacy and security requirements. While we provide for appropriate protections through our contracts with our third-party service providers and in certain cases assess their security controls, we have limited oversight or control over their actions and practices. Several of our businesses act as business associates to their covered entity customers and, as a result, collect, use, disclose and maintain protected personal information in order to provide services to these customers. If HHS alleges or finds noncompliance by us with HIPAA privacy or security requirements, the allegations or findings could damage our reputation and subject us to monetary and other sanctions. Through our Optum businesses, we maintain a database of administrative and clinical data statistically de-identified in accordance with HIPAA standards. Noncompliance or findings of noncompliance with applicable laws, regulations or requirements, or the occurrence of any privacy or security breach involving the misappropriation, loss or other unauthorized disclosure of protected personal information, whether by us or by one of our third-party service providers, could have an adverse effect on our reputation and business and, among other consequences, could subject us to mandatory disclosure to affected customers and the media, loss of existing or new customers, and significant increases in the cost of managing and remediating privacy or security incidents, and could also result in significant fines, penalties and litigation awards. Any of these consequences could have a material and adverse effect on our results of operations, financial position and cash flows. We increasingly rely on new and evolving technologies, including those powered by or incorporating AI, as part of our internal operations and in the delivery of our products and services. AI technologies are subject to evolving and uncertain U.S. federal, state, and international laws and regulations. Emerging requirements may impose new compliance obligations, increase operating costs, or limit certain uses of AI. 20 20 20 Table of Contents Table of Contents

The collection, maintenance, protection, use, transmission, disclosure and disposal of protected personal information are regulated at the federal, state, international and industry levels and addressed in requirements of our customer contracts. Additionally, legislative and regulatory action in the United States at the federal, state and local levels, as well as internationally, is emerging in the areas of AI/ML and automation. These laws, regulations and requirements are subject to change. Compliance with new privacy, security, technology and data laws, regulations and requirements may result in increased operating costs, and may constrain or require us to alter our business model or operations. Internationally, many of the jurisdictions in which we operate have established their own data security and privacy legal framework with which we or our customers must comply. We expect there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection, information security, and AI/ML and automation in the European Union, UK, Chile, India and other jurisdictions, and we cannot yet determine the impacts such future laws, regulations and standards may have on our businesses or the businesses of our customers. 19 19 19 Table of Contents Table of Contents Some of our businesses are also subject to the Payment Card Industry Data Security Standard, which is a multifaceted security standard designed to protect payment card account data. HIPAA requires business associates as well as covered entities to comply with specified privacy and security requirements. While we provide for appropriate protections through our contracts with our third-party service providers and in certain cases assess their security controls, we have limited oversight or control over their actions and practices. Several of our businesses act as business associates to their covered entity customers and, as a result, collect, use, disclose and maintain protected personal information in order to provide services to these customers. If HHS alleges or finds noncompliance with HIPAA privacy or security requirements, the allegations or findings could damage our reputation and subject us to monetary and other sanctions. Through our Optum businesses, we maintain a database of administrative and clinical data statistically de-identified in accordance with HIPAA standards. Noncompliance or findings of noncompliance with applicable laws, regulations or requirements, or the occurrence of any privacy or security breach involving the misappropriation, loss or other unauthorized disclosure of protected personal information, whether by us or by one of our third-party service providers, could have an adverse effect on our reputation and business and, among other consequences, could subject us to mandatory disclosure to affected customers and the media, loss of existing or new customers, significant increases in the cost of managing and remediating privacy or security incidents, and could also result in significant fines, penalties and litigation awards. Any of these consequences could have a material and adverse effect on our results of operations, financial position and cash flows. As an enterprise, we increasingly rely on new and evolving technologies, including those powered by or incorporating AI/ML, as part of our internal operations and in the delivery of our products and services. New technologies have potential and power to improve and optimize operational processes and clinical outcomes across the healthcare system, but also present ethical, technological, legal, regulatory and other risks. With respect to AI/ML, we have developed and implemented policies and procedures intended to promote and sustain responsible design, development, and use of AI/ML, consistent with industry best practices. Any inadequacy or failure in compliance with our responsible use of AI/ML policies and procedures or emerging laws, regulations and standards governing AI/ML use could cause our technology products not to operate as intended or to produce outcomes, including possible regulatory enforcement action or litigation that could have a material and adverse effect on our business, reputation, results of operations, financial position and cash flows.

Market fluctuations could impair the value of our investment and loan portfolio and our profitability. Volatility in interest rates affects our interest income and the market value of our investments in debt securities of varying maturities which constitute the substantial majority of the fair value of our investments as of December 31, 2025. In addition, a delay in payment of principal or interest by issuers or other borrowers, or defaults by issuers (primarily issuers of our investments in corporate and municipal bonds) or other borrowers, could reduce our investment income and require us to write down the value of our investments or loans, which could adversely affect our profitability and equity. Our investments may not produce total positive returns and we may sell investments at prices which are less than their carrying values. Changes in the value of our investment assets, as a result of interest rate fluctuations, changes in issuer financial or market conditions, illiquidity or otherwise, could have an adverse effect on our equity interests. In addition, if it should become necessary for us to liquidate a material portion of our investment and loan portfolio on an accelerated basis, such an action could have an adverse effect on our results of operations and the capital position of our regulated subsidiaries.

Market fluctuations could impair the value of our investment portfolio and our profitability. Volatility in interest rates affects our interest income and the market value of our investments in debt securities of varying maturities which constitute the substantial majority of the fair value of our investments as of December 31, 2024. In addition, a delay in payment of principal or interest by issuers, or defaults by issuers (primarily issuers of our investments in corporate and municipal bonds), could reduce our investment income and require us to write down the value of our investments which could adversely affect our profitability and equity. Our investments may not produce total positive returns and we may sell investments at prices which are less than their carrying values. Changes in the value of our investment assets, as a result of interest rate fluctuations, changes in issuer financial or market conditions, illiquidity or otherwise, could have an adverse effect on our equity. In addition, if it should become necessary for us to liquidate a material portion of our investment portfolio on an accelerated basis, such an action could have an adverse effect on our results of operations and the capital position of our regulated subsidiaries.