UnitedHealth Reveals Data Breach Affects 190 Million Americans Linked to Change Healthcare
UnitedHealth has confirmed that the ransomware attack on its Change Healthcare division last February impacted approximately 190 million individuals in the United States—nearly double the prior estimates.
The U.S. health insurance leader disclosed this updated figure to TechCrunch on Friday after the market’s closing.
“Change Healthcare has determined that the estimated total number of individuals affected by the Change Healthcare cyberattack is roughly 190 million,” stated Tyler Mason, a spokesperson for UnitedHealth Group, in an email to TechCrunch. “The vast majority of those individuals have already received individual or substitute notifications. The final number will be confirmed and submitted to the Office for Civil Rights at a later time.”
The spokesperson for UnitedHealth mentioned that the company was “not aware of any misuse of individuals’ information resulting from this incident and has not observed any electronic medical record databases in the data during the analysis.”
The February 2024 cyberattack marks the largest breach of medical data in U.S. history, leading to several months of disruptions across the U.S. healthcare system. Change Healthcare, a major health tech provider and subsidiary of UnitedHealth, is among the largest managers of health, medical data, and patient records and is also one of the key processors of healthcare claims in the nation.
The data breach involved the theft of vast amounts of health and insurance-related information, some of which was subsequently released online by the hackers responsible for the incident. To avert further publication of the stolen files, Change Healthcare paid at least two ransoms.
Initially, UnitedHealth estimated that around 100 million individuals were affected when the company submitted its preliminary analysis to the Office for Civil Rights, the unit within the U.S. Department of Health and Human Services charged with investigating data breaches.
In its breach notification, Change Healthcare indicated that the cybercriminals stole personal information such as names, addresses, dates of birth, phone numbers, email addresses, and governmental identity documents, including Social Security numbers, driver’s license numbers, and passport numbers. The compromised health data also encompassed diagnoses, medications, test results, imaging, and care and treatment plans, alongside health insurance details. Additionally, Change noted that the stolen data included financial and banking information related to patient claims.
The breach has been linked to the ALPHV ransomware group, a prominent Russian-speaking cybercrime organization. As stated by UnitedHealth Group’s CEO Andrew Witty during congressional testimony last year, the hackers gained access to Change’s systems using a stolen account credential that was not secured with multi-factor authentication.