If I were writing the crime novel version:
-This is tied to the 2/12/24 infiltration of Change Healthcare by ALPHV/Blackcat in which Change Healthcare/UnitedHealth “recognized” the breach on 2/21/24.
-On 2/20/24, Brian Thompson submits Edgar filing related to a $15+ million sale purportedly on 2/16/24.
-On 2/26/24, WSJ reports DOJ ongoing anti-trust investigation into UnitedHealth which allegedly triggers the stock drop and the subsequent insider trading lawsuits; however important to note two things: the scope of the data breach is probably becoming more known internally at UnitedHealth and whispers of that alone could have triggered a stock drop (ie even if WSJ DOJ report had not come out); and not specifically mentioned in the WSJ article was the fact that part of the DOJ investigation was actually a revisit of whether UnitedHealth ever put in the firewalls between its companies (ie Change, Optum, UnitedHealthCare) that it promised to a judge that it would do when judge ruled in favor of United in a 2022 DOJ anti-trust suit at the time of its acquisition of Change Healthcare.
-Sometime in late February, someone at (or some entity connected to) UnitedHealth makes a $22 million ransomware bitcoin payment to ALPHV/Blackcat. ALPHV/Blackcat effectively renegs on promise after receipt of payment. A second darkweb entity RansomHub requests a second ransomware payment from UnitedHealth. UnitedHealth refuses.
-In late May, due to intense concern/probing from Congress, UnitedHealth admits that over 1/3 of all U.S. citizens healthcare data may have been breached in the attack. Not in all cases, but in some cases, this included the breach of CC and bank account payment info, insurance info, medical imaging records, test results, medicines prescribed, Dr case mgmt records, etc.
-In its quarter ending 9/30/24, UnitedHealth increases the expected financial cost of the breach to be $2.87 BILLION.
———-
(Other than speculating that Thompson’s February stock sale may have somehow been related to the underway data breach, all of the above info comes from either the DOJ/court records or - evenentually - by UnitedHeath)
————
(The following is speculative entirely speculative for the novel

————
-Shooter is from Europe and somehow connected to DarkWeb hackers involved in the breach (not a pro, but knowledgeable with weapons, govt data capture endpoints - eg cctv, facial recognition, id, etc).
-His entry point into the U.S. was through Atlanta where, in the suburban areas, there are a fair amount of European/Eastern European money laundering outfits.
-Shooter road bike from 104/Central Park West through the park, exited at either 59th or 60th, and ditched bike in its hideout spot.
-Knowing that police would be able to walk back every moment that he had spent in midtown/NYC streets, he walked to F train at Rockefeller Center 50th/6th and road it one stop to try to obfuscate (even just giving himself an extra few minutes of LE confusion) to 57th/6th stop to make it seem like he had come from downtown (or UES>Bronx).
-After killing Thompson, shooter enters Central Park heads towards west side but stays on West Drive (ie I think leaving park at 60th/CPW at Columbus circle is a red herring (or maybe media confusion of where he exited on his route to the shooting) as it doesn’t make any sense to exit there and then be back on almost constant CCTV (or CPW building cameras) for a portion of the route up to 77th/CPW.