The Surveillance Blind Spot

On the morning of December 4, 2024, UnitedHealthcare CEO Brian Thompson walked out of the New York Hilton Midtown on West 54th Street and was shot from behind. Surveillance footage released by the NYPD showed his attacker had been waiting outside the hotel for at least five minutes before Thompson arrived — evidence that the shooter knew which entrance he would use, and when. NYPD Commissioner Jessica Tisch called it "a brazen, targeted attack." The planning was not improvised. It was the product of prior reconnaissance.

Thompson's wife confirmed to NBC News that he had received threats before the attack — "some people that had been threatening him," she said. Despite those threats, he traveled to New York without a security detail. NYPD Chief of Detectives Joseph Kenny confirmed this at his press conference: "He left the hotel by himself, was walking, didn't seem like he had any issues at all." UnitedHealth Group's own proxy statements show no current or former executive receives regular company-funded personal security. A man who had received threats walked alone toward a hotel entrance where someone was already waiting for him. The attack lasted seconds. The planning, almost certainly, took days.

That gap — between an adversary's preparation and a target's awareness — is the space that counter-surveillance exists to close. Most executive protection programs know this in principle. In practice, the field's most common failures happen not in the moments of crisis, but in the weeks before anyone on the protection team realizes a threat is developing.

Many protection programs apply a uniform risk assessment across different principals without accounting for individual exposure, threat motivation, or current operational context. A chief legal officer facing an active wrongful termination lawsuit carries a materially different risk profile than the same executive in a quiet period. A high-net-worth individual who has recently appeared in a financial publication carries different exposure than one who has maintained a low profile. Applying the same protection package to both is not a risk management strategy. It is a billing model.