In 2025, UnitedHealth Group publicly stated that it delivered 19 million in-home visits, bringing care directly to patients at a scale that would have been difficult to imagine a decade ago. That figure should make every home healthcare executive, compliance officer, clinical leader, and technology partner pause. It is more than a large number. It is a signal that the center of gravity in healthcare is shifting.
Care is no longer confined to hospitals, physician offices, rehabilitation centers, or outpatient clinics. Increasingly, care is happening in the patient's living room, bedroom, assisted living apartment, and community setting.
UnitedHealth's formal 2025 annual filing also confirms the importance of this strategy. The company reported that its HouseCalls program alone performed 3.1 million clinical preventive home care visits in 2025, using nurse practitioners to address unmet care opportunities and close gaps in care. That distinction matters. The broader 19 million figure reflects the company's wider home-based care activity, while HouseCalls represents one specific clinical preventive home visit program. Together, they show the same direction: home-based care has become a major operating channel for large healthcare organizations.
For home healthcare agencies, this is both an opportunity and a warning.
The opportunity is obvious. Demand for care in the home is rising. Aging populations, chronic disease, hospital-at-home models, Medicare Advantage growth, staffing constraints, patient preference, and value-based reimbursement are all pushing healthcare closer to where people live. The warning is just as clear: as healthcare moves into the home, the operational and cybersecurity risks move with it.
A home visit is no longer just a clinical encounter. It is a digital transaction, a compliance event, a data exchange, a billing workflow, a mobile workforce activity, and a patient trust moment.
How UnitedHealth Was Able to Deliver Care at That Scale
UnitedHealth did not deliver millions of in-home visits by accident. It did so because it has the infrastructure, financial incentives, workforce models, technology platforms, member data, and care coordination systems to support home-based care as a strategic operating model.
First, UnitedHealth has a massive member base. Its 2025 Form 10-K reported 8.4 million Medicare Advantage members in its Medicare & Retirement business as of December 31, 2025. That scale gives the company the population base to identify care gaps, schedule visits, stratify risk, and deploy clinicians into the home in a systematic way.
Second, the company uses the home as a core part of its healthcare delivery strategy. In its reporting, UnitedHealth discusses enabling the home as a safe and effective setting for care. That is not casual language. It reflects a broader industry movement away from episodic, facility-centered care and toward continuous, coordinated, home-centered engagement.
Third, UnitedHealth's model aligns with value-based care. In traditional fee-for-service healthcare, the system is often paid when a patient becomes sick enough to require a billable encounter. In value-based care, the incentive changes. Plans and providers are rewarded for prevention, early intervention, better outcomes, reduced hospitalizations, and lower total cost of care. Home visits can help uncover risks that may not appear during a short office visit: medication confusion, fall hazards, food insecurity, caregiver limitations, isolation, behavioral health concerns, and gaps in follow-up care.
This is why home-based care is gaining traction. It gives healthcare organizations a more complete picture of the patient.
Fourth, the broader policy environment supports the shift. CMS expanded the Home Health Value-Based Purchasing Model nationwide beginning January 1, 2022, covering Medicare-certified home health agencies in all 50 states, the District of Columbia, and U.S. territories. The model is designed to improve quality and efficiency in home health care. That creates strong pressure for agencies to improve outcomes, documentation, patient experience, and operational performance.
In simple terms, UnitedHealth's 19 million in-home visits show what happens when scale, reimbursement, workforce strategy, data, and technology all point in the same direction.
The Real Lesson for Home Healthcare Agencies
The lesson is not that every home healthcare agency must become UnitedHealth. That is unrealistic and unnecessary.
The real lesson is that home healthcare is becoming a serious, data-driven, compliance-sensitive, technology-dependent care environment. Agencies that still view themselves as small, local, paper-driven service providers are at risk of falling behind. The industry is professionalizing. Payers are demanding more evidence. Regulators are demanding stronger safeguards. Patients and families are demanding reliability. Referral partners want confidence that agencies can protect sensitive information and deliver care consistently.
This creates a new standard for home healthcare leadership. The next generation of successful home healthcare agencies will need five capabilities:
- Clinical reliability. Agencies must prove they can deliver care safely and consistently in the home.
- Operational visibility. Leaders must know what is happening across visits, staff, devices, documentation, scheduling, and patient communication.
- Compliance discipline. HIPAA, payer requirements, state rules, quality measures, and breach notification expectations must be embedded into daily operations.
- Technology maturity. Agencies must use cloud systems, mobile tools, secure email, identity access, endpoint protection, backup, and reporting systems responsibly.
- Cyber resilience. Agencies must be able to prevent, detect, respond to, and recover from cyber incidents without collapsing operationally.
That last capability is becoming one of the most important.
When Care Moves Into the Home, the Attack Surface Moves With It
Every home visit creates a cybersecurity footprint.
A clinician may use a mobile phone, tablet, laptop, scheduling app, electronic visit verification platform, electronic medical record, email account, messaging tool, billing system, cloud storage platform, GPS-enabled app, or remote access connection. Each tool may create, receive, maintain, transmit, or access electronic protected health information.
That means every home healthcare agency must ask a hard question: Are we protecting patient data with the same seriousness that we protect patient care?
The HIPAA Security Rule establishes national standards to protect electronic protected health information through administrative, physical, and technical safeguards. Covered entities and business associates are expected to protect the confidentiality, integrity, and availability of ePHI.
This is not theoretical. Healthcare is one of the most targeted sectors for cyberattacks. The American Hospital Association, citing the FBI's 2025 Internet Crime Report, reported that healthcare and public health was the top sector targeted for cyberthreats in 2025, with hundreds of reported ransomware attacks and data breaches.
For home healthcare agencies, the risk is especially serious because many operate with:
- Lean IT teams and limited cybersecurity budgets
- Distributed workers using personal devices on home WiFi networks
- Shared devices and inconsistent access controls
- Weak password practices and inconsistent multi-factor authentication
- Heavy reliance on email with little or no phishing protection
These conditions create an attractive target for cybercriminals.
A ransomware attack against a home healthcare agency is not just an IT event. It can stop scheduling, delay care, disrupt payroll, freeze billing, expose patient data, damage referral relationships, and trigger regulatory scrutiny. A business email compromise incident can redirect payments, expose patient records, or trick staff into sending sensitive information to criminals. A compromised clinician device can become an entry point into cloud systems. A weak backup strategy can turn a recoverable incident into an existential business crisis.
The industry cannot afford to treat cybersecurity as optional.
The Change Healthcare Cyberattack Changed the Conversation
Any serious discussion of healthcare cybersecurity must mention the Change Healthcare cyberattack. In February 2024, the attack disrupted claims processing, pharmacy operations, payment systems, and provider cash flow across the country. The American Hospital Association described the disruption as unprecedented in scale and warned that attacks against mission-critical third-party providers can have devastating national consequences.
HHS later reported that Change Healthcare notified the Office for Civil Rights that approximately 190 million individuals were impacted by the breach. That number is staggering. It shows how interconnected healthcare has become and how a single failure point can affect patients, providers, payers, and vendors across the ecosystem.
The lesson for home healthcare agencies is not that they face the same scale of risk as a national clearinghouse. The lesson is that every healthcare organization now operates inside a connected digital ecosystem. Agencies depend on EMRs, billing vendors, clearinghouses, payroll platforms, cloud providers, referral sources, payer portals, email systems, and third-party applications. A weakness anywhere in that chain can become a business continuity problem.
Cybersecurity is now part of healthcare delivery.
HIPAA Readiness Must Become Operational, Not Cosmetic
Many agencies still approach HIPAA as a binder, a checklist, or an annual training requirement. That mindset is outdated.
HIPAA readiness must become operational. It must show up in onboarding, offboarding, access reviews, password controls, mobile device management, email security, endpoint protection, backup testing, incident response, vendor management, staff training, and leadership reporting.
HHS has already signaled that cybersecurity expectations are rising. OCR's proposed update to the HIPAA Security Rule was designed to better address increasing cybersecurity threats against the healthcare sector and strengthen the protection of ePHI.
That direction should not surprise anyone. The healthcare sector is too valuable, too vulnerable, and too essential to continue operating with outdated security practices.
For home healthcare leaders, this creates a practical question: Can you prove that your agency has reasonable and appropriate safeguards in place?
If a breach happens, regulators, payers, referral partners, and patients will not only ask what happened. They will ask what you had in place before it happened:
- Did you conduct a risk assessment?
- Did you implement multi-factor authentication?
- Did you train staff?
- Did you protect endpoints?
- Did you maintain backups?
- Did you monitor suspicious activity?
- Did you have an incident response plan?
- Did you know which systems stored or transmitted ePHI?
- Did you manage third-party risk?
These are not technical questions. They are executive leadership questions.
The Business Case for Cybersecurity in Home Healthcare
Cybersecurity is often viewed as a cost. That is the wrong framing.
For home healthcare agencies, cybersecurity is a business protection strategy. It protects revenue, referrals, patient trust, payer relationships, licensure posture, regulatory standing, and operational continuity.
A strong cybersecurity program can help agencies:
- Reduce ransomware risk
- Protect patient data and ePHI
- Support HIPAA compliance
- Improve payer and referral partner confidence
- Reduce downtime and recover faster from incidents
- Strengthen business continuity planning
- Prepare for audits, questionnaires, and payer reviews
- Improve cyber insurance eligibility and premium pricing
- Protect staff from phishing and credential theft
- Support growth into larger contracts and higher-value partnerships
As larger healthcare organizations scale home-based care, they will increasingly expect smaller partners, vendors, and agencies to demonstrate stronger cybersecurity hygiene. Agencies that can show maturity will have a competitive advantage. Agencies that cannot may be viewed as risky.
That is the market shift. Cybersecurity will become part of the home healthcare value proposition.
What Home Healthcare Agencies Should Do Now
The starting point does not have to be complicated. Agencies should begin with a practical cybersecurity and HIPAA readiness assessment. The purpose is to identify where patient data lives, who has access to it, how it is protected, and what would happen if systems were disrupted.
A strong readiness process should include:
- A system inventory of all platforms, devices, applications, email systems, cloud services, and databases that create, receive, maintain, transmit, or store ePHI.
- An ePHI data flow review showing how patient information moves between staff, systems, vendors, payers, referral sources, and patients.
- A review of identity and access controls, including multi-factor authentication, role-based access, password practices, and offboarding procedures.
- An endpoint security review for laptops, desktops, tablets, and mobile devices used by administrative and clinical staff.
- An email security review, because phishing and business email compromise remain among the most common attack paths.
- A backup and disaster recovery review to confirm that critical systems and data can be restored after ransomware, accidental deletion, or system failure.
- A staff awareness review to evaluate whether employees understand phishing, social engineering, secure communication, and incident reporting.
- An incident response review to confirm the agency knows what to do in the first 24 to 72 hours after a suspected breach.
This is how cybersecurity becomes practical. Not fear. Not jargon. Not expensive tools thrown at a poorly understood problem. Just disciplined readiness.
The New Standard: Care at Home Must Also Mean Security at Home
UnitedHealth's 19 million in-home visits should be viewed as a milestone for the entire healthcare industry. It shows that home-based care is no longer a niche service. It is becoming a national care delivery infrastructure.
But infrastructure must be protected.
If the home is becoming a clinical setting, then the systems supporting home care must be treated as critical infrastructure. Scheduling systems matter. Billing systems matter. Email matters. Mobile devices matter. Cloud platforms matter. Staff training matters. Backup matters. Incident response matters. Vendor risk matters. HIPAA documentation matters.
The agencies that understand this early will be better positioned to grow. They will be more attractive to referral partners, payers, accountable care organizations, hospitals, physician groups, and families. They will be able to say, with confidence, that they are not only delivering care in the home — they are protecting the digital trust that makes care possible.
That is where the industry is heading.
The future of home healthcare will not be defined only by how many visits an agency can complete. It will be defined by how safely, securely, consistently, and intelligently those visits are delivered.
UnitedHealth's scale shows what is possible. The next question is whether the rest of the home healthcare industry is ready for the operational, compliance, and cybersecurity expectations that come with that future.
For agencies willing to act now, this is a moment of opportunity. Cybersecurity readiness can become a differentiator, not just a defensive measure. HIPAA compliance can become a trust signal, not just a regulatory burden. Technology can become an enabler of better care, not a source of hidden risk.
Home healthcare is growing up. Now its cybersecurity must grow up with it.
Schedule Your Complimentary Home Healthcare Cyber Readiness Assessment
Schedule your complimentary Home Healthcare Cyber Readiness Assessment with ShieldForce. We will help your agency identify cybersecurity and HIPAA readiness gaps across your people, devices, cloud systems, email, backup, and ePHI workflows — then provide a practical roadmap to reduce risk before a breach, audit, or payer review forces the conversation.