The recent cyberattack on Change Healthcare last year has potentially affected the data of around 190 million individuals, which accounts for more than half of the U.S. population, as disclosed by its parent company UnitedHealth in a recent update. This figure significantly surpasses Change’s initial estimate, which stated that the breach had exposed information from 100 million Americans, marking it as the largest healthcare data breach ever reported to federal regulators.
Fortunately, there have been no reported cases of misuse of the exposed data following the breach, and there has been no evidence of electronic medical record databases being compromised according to a spokesperson from UnitedHealth.
A vast majority of the affected individuals have already been notified either through direct correspondence or through a notice published on the company’s website. The data that may have been exposed includes contact details, health insurance information, health records, as well as billing and claims data.
This update comes on the heels of UnitedHealth reporting a significant financial impact from the cyberattack during an earnings call. The company incurred expenses of $3.1 billion in 2024 in response to the attack, exceeding initial cost projections.
The ransomware attack on Change Healthcare in February last year caused widespread disruptions in the healthcare industry. The group responsible for the attack, AlphV or Blackcat, demanded a $22 million ransom in Bitcoin, which UnitedHealth paid in an effort to safeguard personal information.
The outage resulting from the attack caused financial and operational challenges for healthcare providers, impeding their ability to receive reimbursement, verify patients’ insurance coverage, and process prior authorization requests. To alleviate the financial strain on providers, both UnitedHealth and the CMS established financial assistance programs following the attack.
Lawmakers expressed concerns about the impact of the attack on the healthcare sector and the potential breach of Americans’ health data. UnitedHealth’s CEO, Andrew Witty, informed lawmakers in May that the attack may have compromised the data of one-third of the U.S. population.
Change Healthcare’s assessment of the compromised data is nearing completion, and the final number of affected individuals will be reported to the HHS’ Office for Civil Rights at a later date.
