---
title: "Healthcare Cybersecurity in 13Fs: UNH, MRK, JNJ Risk Reading"
type: learn
slug: healthcare-cybersecurity-13f-unh-mrk-jnj-cyber-risk-decoder
canonical_url: https://13finsight.com/learn/healthcare-cybersecurity-13f-unh-mrk-jnj-cyber-risk-decoder
published_at: 2026-05-15T06:05:56.523Z
updated_at: 2026-05-15T06:06:00.108Z
author: Sarah Mitchell
author_title: Education Editor
author_url: https://13finsight.com/authors/sarah-mitchell
word_count: 700
locale: en
source: 13F Insight
---

# Healthcare Cybersecurity in 13Fs: UNH, MRK, JNJ Risk Reading

> Healthcare-payor and pharma R&D data is one of the highest-value targets in the AI cybersecurity threat cycle. UNH lost $2B+ in the 2024 Change Healthcare breach. Pharma R&D and clinical-trial data are next. Here's how institutional positioning reflects the risk.

The AI cybersecurity threat cycle has elevated healthcare to one of the highest-value attack targets in the US listed economy. The 2024 Change Healthcare ransomware attack on UnitedHealth Group's Optum subsidiary cost the company over $2 billion in direct response costs plus ongoing regulatory overhang. The breach disrupted approximately 50% of US healthcare insurance claims processing for 100+ days. Pharma R&D infrastructure — clinical-trial data, patent-pending compound databases, manufacturing trade secrets — is the next category in the threat envelope. Reading institutional 13F positioning across healthcare requires understanding which companies sit at the highest cybersecurity-risk-and-cost exposure, and how active managers position for or against the risk.The healthcare cybersecurity threat envelopeThree categories of healthcare data are high-value cyber targets:Healthcare payor and claims dataInsurance claims, patient records, provider databases. The Change Healthcare breach demonstrated the operational and regulatory cost of disruption. Targets:UnitedHealth Group (UNH): Optum / Change Healthcare. Already breached in 2024.Cigna Group (CI): Evernorth healthcare-services business.CVS Health (CVS): Aetna insurance plus Caremark PBM.Elevance Health (ELV): Anthem health plans.Humana (HUM): Medicare Advantage operations.Pharma R&D and clinical-trial dataPatent-pending compounds, biological process development, clinical-trial datasets. AI-enabled industrial espionage can extract these at scale. Targets:Merck (MRK): Keytruda follow-on pipeline, cardiovascular-metabolic platform.Eli Lilly (LLY): GLP-1 franchise data, oncology pipeline.Johnson & Johnson (JNJ): Diversified pharma plus medical-device R&D.Pfizer (PFE): Seagen ADC platform, post-COVID pipeline.AbbVie (ABBV): Immunology franchise.Vertex Pharmaceuticals (VRTX): Cystic fibrosis plus expanding pipeline.Medical-device and diagnostic dataDevice firmware, FDA submission data, manufacturing processes. Targets:Stryker (SYK): Orthopedic implants, surgical instruments.Boston Scientific (BSX): Cardiac and endoscopy devices.Becton Dickinson (BDX): Diagnostics and drug delivery.Thermo Fisher (TMO): Life-sciences tools and clinical-trial services.How institutional positioning reflects cyber riskThree patterns appear in 13F positioning post-Change Healthcare:Pattern 1: Active managers held through the breachCapital World Investors, Wellington Management, Citadel, and other large active healthcare-managers held through the 2024 UNH drawdown without forced selling. The 13F positions show:UnitedHealth (UNH): Capital World at 1.03% portfolio, Citadel at 1.09%, Wellington at 0.91% — all active overweights versus index of ~0.85%.Merck (MRK): Wellington at 1.59% portfolio — 3.5x index overweight.Pfizer (PFE): Fisher Asset Management at 1.00% portfolio — 4x index overweight.The institutional view appears to be that cyber-risk overhang is priced into the multiple and the long-term franchise value is intact.Pattern 2: Specialty cybersecurity overweights compoundStocks providing cybersecurity defense to healthcare (Palo Alto Networks, CrowdStrike, Fortinet, SentinelOne) attract concentrated active conviction. Morgan Stanley at 0.34% PANW portfolio (vs ~0.21% index weight) plus similar overweights at peer cybersecurity names reflect institutional positioning for the structural enterprise cybersecurity spend acceleration.Pattern 3: Market-maker inventory expands during volatilitySusquehanna at $10.34 billion / 1.19% portfolio in UNH, plus Citadel's options-paired exposure, reflect options-volume expansion during the post-Change-Healthcare crisis cycle. Volatility-driven hedge demand inflates the apparent institutional ownership without representing directional conviction.How to read healthcare cyber positioningThree rules:Rule 1: Filter market-maker inventory before reading active convictionUNH's top of book includes Susquehanna at 1.19% portfolio and options-paired Citadel exposure. Both expand during cyber-crisis volatility cycles but do not represent directional view. Filter them out for the active-manager read.Rule 2: Watch active-manager position changes through cyber crisis cyclesWellington, Capital World, and Fidelity position changes through 12-18 months following a breach typically signal whether the institutional view treats the cyber overhang as a multi-year compress or a transitory event.Rule 3: Cross-check against direct-cybersecurity-vendor active positioningIf cybersecurity vendors (PANW, CRWD, FTNT) see expanding active overweights at Morgan Stanley, Wellington, and Capital Group simultaneously, the institutional consensus is that healthcare-and-financial-services cybersecurity spend is structurally accelerating. The vendor positioning and the customer-target positioning move in opposite directions.What to trackMajor healthcare cyber incidents. Each new breach reshapes the institutional view on payor or pharma operating risk.HHS, DOJ, and state AG investigations. Regulatory outcomes from the 2024 Change Healthcare breach (and subsequent incidents) determine the multi-year regulatory overhang.Cyber-vendor revenue growth. Healthcare vertical revenue at PANW, CRWD, FTNT, and others is the indirect signal that enterprise cybersecurity spend in healthcare is accelerating.Q2 2026 13F filings (due August 14, 2026). Watch whether the post-Change-Healthcare active overweights at UNH expand or compress. Track via the institutional signals feed.Healthcare cybersecurity risk is a multi-year overhang affecting institutional positioning across payors, pharma, and medical devices. For more on filtering market-maker inventory from active conviction in high-options names, see our market-maker 13F decoder and the broader explainer hub.

## FAQ

### What was the cost of the Change Healthcare cyber breach?

The February 2024 ransomware attack on Change Healthcare (UnitedHealth's Optum subsidiary processing ~50% of US healthcare insurance claims) cost UnitedHealth Group over $2 billion in direct response costs, partner reimbursements, and lost-revenue impact. UNH provided $9+ billion of interim funding to affected healthcare providers. Ongoing HHS, DOJ, and state attorneys-general investigations continue. UNH stock dropped from $560 to $475 across the 2024 response period before recovering.

### Why is pharma R&D a cybersecurity target?

Pharma R&D contains patent-pending compound data (sells at premium prices to competitors and state-sponsored actors), clinical-trial patient data (HIPAA-regulated; breaches produce regulatory penalties), and manufacturing process trade secrets (economically valuable for years). AI-enabled industrial espionage can extract or disrupt these datasets at scale. Companies like Merck, Lilly, Pfizer, J&J, AbbVie, Vertex sit in the highest-value pharma R&D target envelope.

### Did institutional managers exit UNH after the cyber breach?

No. Capital World Investors held at 1.03% portfolio, Citadel at 1.09%, and Wellington at 0.91% through the 2024 UNH drawdown without forced selling. All three remained active overweights versus the S&P 500 index weight of approximately 0.85%. The institutional view appears to be that cyber-risk overhang is priced into the multiple and the long-term franchise value via Optum data platform plus scale economies is intact.

### Which cybersecurity vendors benefit from healthcare cyber threats?

Palo Alto Networks (PANW), CrowdStrike (CRWD), Fortinet (FTNT), and SentinelOne are the primary US-listed cybersecurity vendors selling Next-Generation Firewall, XDR, SASE, and cloud-security to healthcare enterprises. Morgan Stanley at 0.34% PANW portfolio plus similar overweights at peer cybersecurity names reflect institutional positioning for structural enterprise cybersecurity spend acceleration in healthcare and financial-services verticals.

### How should I read healthcare cyber-target 13F positions?

Three rules: (1) Filter market-maker inventory (Susquehanna at 1.19% UNH is options-driven, not conviction) before reading active conviction; (2) watch active-manager position changes through 12-18 months post-breach for multi-year vs transitory view; (3) cross-check against direct-cybersecurity-vendor active positioning — when PANW, CRWD, FTNT see expanding overweights, the institutional consensus is cybersecurity spend is structurally accelerating.

### Are pharma 13F holders more bullish or bearish after cyber events?

Mostly neutral-to-bullish. Wellington at 1.59% MRK portfolio (3.5x index), Fisher Asset Management at 1.00% PFE portfolio (4x index), and various smaller specialist overweights have held through cyber-event cycles. The institutional view treats pharma cyber risk as a manageable operational overhang rather than a structural revenue threat. The exceptions are companies with specific high-profile data breaches where the post-event multiple compression has been deeper and slower to recover.

---

Source: 13F Insight — https://13finsight.com/learn/healthcare-cybersecurity-13f-unh-mrk-jnj-cyber-risk-decoder
Author: Sarah Mitchell — https://13finsight.com/authors/sarah-mitchell
Last updated: 2026-05-15T06:06:00.108Z