Change Healthcare Breach Impacted Data Of 190 Million People: UnitedHealth
That’s up from the prior estimate of 100 million people affected in the February 2024 breach.
UnitedHealth Group confirmed that last year’s breach of Change Healthcare impacted the data of 190 million people, up from the prior estimate of 100 million individuals affected.
The wider impact from the February 2024 hack was first reported by TechCrunch. UnitedHealth confirmed the updated figure in a statement to CRN Monday.
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” the UnitedHealth statement said, noting that the “vast majority” of affected people have been notified at this point.
“The final number will be confirmed and filed with the Office for Civil Rights at a later date,” the statement said.
While the incident first manifested as a ransomware attack against the IT systems of UnitedHealth-owned Change Healthcare—leading to weeks of disruptions for many U.S. patients and health-care providers—the hackers also exfiltrated a massive trove of patient data.
The stolen data may include medical information such as diagnoses, providers, prescriptions, test results and treatments, according to the notification from Change Healthcare.
In its statement Monday, UnitedHealth noted that it is “not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis.”
Other potentially impacted patient data may include health insurance information; claims, billing and payment data; and “other personal data” such as Social Security numbers or driver’s license numbers, Change Healthcare said in its notification.
In October, UnitedHealth disclosed that it estimated at the time that 100 million individuals were impacted in the Change Healthcare breach. The disclosure that 190 million people may have been impacted makes it the largest health-care breach in U.S. history, according to a Reuters report.
Despite UnitedHealth paying a $22 million ransom to the ransomware gang that carried out the initial attack, data stolen during the incident ended up in the hands of a different cybercriminal group, RansomHub, which proceeded to post some of the stolen data.
The breach was enabled by a lack of multifactor authentication on a Change Healthcare server, UnitedHealth has said.