UnitedHealth has confirmed that a ransomware attack on its Change Healthcare division earlier this year affected approximately 190 million people in the United States, a figure nearly double the previous estimates.
Following the market close on Friday, UnitedHealth, a leading health insurance provider, disclosed this updated statistic to TechCrunch.
“Change Healthcare has assessed that around 190 million individuals were impacted by the cyberattack,” stated Tyler Mason, a spokesperson for UnitedHealth Group, in an email correspondence with TechCrunch. He emphasized that most of those affected have already been notified, either individually or through substitute communications, and confirmed that the final count would be reported to the Office for Civil Rights at a later date.
Mason also conveyed that the company has not encountered evidence of misuse of the affected individuals’ information and noted that their analysis did not reveal any compromised electronic medical record databases.
This cyber incident, which occurred in February 2024, marks the most significant breach of medical data in U.S. history, leading to prolonged service disruptions across the healthcare sector. Change Healthcare, a subsidiary of UnitedHealth and a major player in health tech, specializes in managing vast amounts of health data and patient records while also processing numerous healthcare claims across the nation.
The breach reportedly involved the theft of extensive health and insurance data, some of which was subsequently disseminated online by the perpetrators. To mitigate further data exposure, Change Healthcare paid at least two ransoms.
Earlier assessments by UnitedHealth estimated the number of individuals affected to be around 100 million at the time they filed a preliminary report with the Office for Civil Rights, which is responsible for investigating such data breaches under the U.S. Department of Health and Human Services.
In the notification about the data breach, Change Healthcare disclosed that the cybercriminals accessed sensitive information, including names, addresses, dates of birth, phone numbers, email addresses, and government-issued identification documents such as Social Security numbers and driver’s license numbers. The compromised health data encompassed medical diagnoses, medications, test results, imaging records, treatment plans, and health insurance details—notably, it also included financial information related to patient claims.
The attack was attributed to the ALPHV ransomware group, a notorious cybercrime organization primarily operating in the Russian language. According to testimony from UnitedHealth Group’s CEO Andrew Witty before lawmakers, the attackers gained access to Change’s systems through compromised account credentials that lacked multi-factor authentication.
