Dive Brief:
The massive cyberattack on Change Healthcare last year may have compromised the data of about 190 million people — more than half the U.S. population, according to an update from its parent company UnitedHealth on Friday.
The new estimate of affected individuals far surpasses Change’s previous tally. In October, the technology firm and claims processor said the ransomware attack exposed information from 100 million Americans, making it the largest healthcare data breach ever reported to federal regulators.
Change isn’t aware of any misuse of exposed data as a result of the breach, and hasn’t seen electronic medical record databases appear in its analysis of compromised information, a UnitedHealth spokesperson said.
Dive Insight:
The vast majority of the 190 million affected individuals have already been notified, either through individual letters or through the substitute notice published on the company’s website. Data exposed could include contact information, health insurance details, health information and billing and claims data, according to the notice.
The update comes weeks after UnitedHealth reported a significant financial hit from the Change cyberattack during an earnings call. The healthcare giant spent $3.1 billion responding to the attack in 2024, outstripping previous spending estimates.
The ransomware attack that hit Change in February last year set off weeks of disruptions for the healthcare sector. A group called AlphV, also known as Blackcat, claimed responsibility for the incident. UnitedHealth CEO Andrew Witty later confirmed the company paid a $22 million ransom in Bitcoin in an attempt to protect personal information after the attack.
Providers reported a range of financial and operational challenges during the outage, which hamstrung their ability to receive reimbursement for services, check patients’ insurance coverage and file prior authorization requests. Some practices worried they would fold if payments were held up for too long, leading both UnitedHealth and the CMS to set up financial assistance programs for providers after the attack.
Lawmakers also raised concerns about the attack’s impact on the sector — and the potentially huge breach of Americans’ health data. In May, Witty told lawmakers the attack may have compromised the data of one third of people in the U.S.
Change’s review of compromised data is now substantially complete, according to a UnitedHealth spokesperson. The final number will be confirmed and filed with the HHS’ Office for Civil Rights at a later date.
