UnitedHealth Group has officially disclosed that the February ransomware attack on its subsidiary, Change Healthcare, affected approximately 190 million individuals in the U.S.—nearly twice the previously estimated figure.
The healthcare giant confirmed the revised number in a statement to TechCrunch on Friday, after market hours.
“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” said Tyler Mason, a UnitedHealth spokesperson, in an email to TechCrunch. “The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”
UnitedHealth also stated that there is no evidence suggesting the stolen data has been misused. “The company is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis,” the spokesperson added.
The cyberattack, which occurred in February 2024, stands as the most significant medical data breach in U.S. history. It led to prolonged disruptions across the healthcare sector. Change Healthcare, a leading health tech provider and claims processor, handles vast amounts of patient data, medical records, and insurance information.
Hackers behind the attack stole an extensive volume of sensitive health and insurance data, some of which was leaked online. Reports indicate that Change Healthcare paid at least two ransom payments to prevent further exposure of the compromised files.
Initially, UnitedHealth estimated the number of impacted individuals to be around 100 million when it filed a preliminary report with the Office for Civil Rights, a division of the U.S. Department of Health and Human Services that oversees data breaches.
According to Change Healthcare’s breach notification, the cybercriminals accessed and stole:
- Names, addresses, phone numbers, and email addresses
- Dates of birth and government-issued ID numbers (Social Security, driver’s license, passport)
- Medical diagnoses, prescriptions, lab results, imaging, and treatment plans
- Health insurance details
- Financial and banking data related to patient claims
The breach has been attributed to the ALPHV ransomware group, a Russian-language cybercrime network. During congressional testimony, UnitedHealth CEO Andrew Witty revealed that attackers gained access through a stolen credential that lacked multi-factor authentication, highlighting a critical security lapse.
As the healthcare industry grapples with the aftermath, this breach underscores the urgent need for enhanced cybersecurity measures to safeguard sensitive medical data.