Change Healthcare Data Breach: 190 Million Americans Affected

UnitedHealth Data Breach Impacts Nearly 190 Million Americans

UnitedHealth has recently verified that the ransomware attack targeting its Change Healthcare division in February had far-reaching consequences, affecting approximately 190 million individuals across the United States.

This figure, disclosed to TechCrunch on Friday following market closure, represents a substantial increase compared to initial estimations.

Confirmation from UnitedHealth

According to Tyler Mason, a spokesperson for UnitedHealth Group, “Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million.”

Mason further stated that the majority of affected individuals have already received notification, either directly or through substitute means. The final count will be officially confirmed and submitted to the Office for Civil Rights at a later time.

No Evidence of Data Misuse

UnitedHealth’s representative indicated that, to date, there is no indication that individuals’ information has been misused as a result of this incident.

Analysis of the compromised data has not revealed the appearance of electronic medical record databases.

Scale of the Cyberattack

The February 2024 cyberattack stands as the largest breach of medical data in U.S. history, causing significant disruptions within the nation’s healthcare infrastructure.

Change Healthcare, a subsidiary of UnitedHealth and a leading health tech company, is a major processor of healthcare claims and a substantial handler of sensitive health and patient data.

Data Compromised and Ransom Payments

The breach led to the theft of a vast amount of health and insurance-related data, with some of this information being published online by the responsible hackers.

Subsequently, Change Healthcare made at least two ransom payments in an attempt to prevent further dissemination of the stolen files.

Previous Estimates and Reporting

UnitedHealth had initially estimated the number of affected individuals to be around 100 million when filing a preliminary analysis with the Office for Civil Rights, a division of the U.S. Department of Health and Human Services responsible for investigating data breaches.

Types of Stolen Information

Change Healthcare’s data breach notice detailed the types of information compromised, including:

Names and addresses
Dates of birth
Phone numbers
Email addresses
Government identity documents (Social Security numbers, driver’s license numbers, passport numbers)
Health data (diagnoses, medications, test results, imaging, care and treatment plans)
Health insurance information
Financial and banking information found in patient claims

Attribution and Vulnerability

The attack has been attributed to the ALPHV ransomware gang, a known Russian-speaking cybercrime group.

Testimony from UnitedHealth Group’s CEO, Andrew Witty, revealed that the hackers gained access to Change’s systems using a compromised account credential that lacked multi-factor authentication.