The U.S. healthcare system, UnitedHealth Group, has confirmed that a February 2024 ransomware attack on its subsidiary, Change Healthcare, compromised the personal and healthcare data of approximately 190 million individuals.
This figure, nearly double the initial estimate of 100 million, marks the largest breach of medical data in U.S. history.
The health insurance giant disclosed the updated numbers late Friday in a statement to TechCrunch. “Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” said Tyler Mason, spokesperson for UnitedHealth Group.
Mason added that most affected individuals have already been notified, either directly or through substitute notices and that the final tally will be reported to the Office for Civil Rights (OCR) under the Department of Health and Human Services.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Change Healthcare, a critical player in the U.S. healthcare ecosystem processes vast quantities of medical claims and manages sensitive patient records for hospitals and insurers nationwide.
The February cyberattack not only exposed personal identifying information (PII) but also healthcare-related data, including insurance details and medical records. Some of this stolen information was subsequently leaked online by the hackers responsible for the breach.
Despite these alarming developments, UnitedHealth stated it has “not seen electronic medical record databases appear in the data during analysis” and is “not aware of any misuse of individuals’ information as a result of this incident.”
However, cybersecurity experts warn that such assurances may provide little comfort to affected individuals, given the long-term risks associated with stolen medical data, which can be exploited for identity theft or fraudulent insurance claims.
Ransom Payments Made
In response to the attack, Change Healthcare reportedly paid at least two ransoms to prevent further publication of stolen files. The financial terms of these payments remain undisclosed, but such actions underscore the severity of the breach and its potential repercussions.
The cyberattack caused months-long disruptions across the U.S. healthcare system, delaying claims processing and impacting patient care. Hospitals and clinics reliant on Change Healthcare’s services were forced to adopt manual processes or alternative solutions during the outage.
UnitedHealth’s latest disclosure will likely intensify scrutiny from regulators and lawmakers. The OCR is already investigating the breach as part of its mandate to enforce compliance with the Health Insurance Portability and Accountability Act (HIPAA).
This incident also raises broader questions about cybersecurity resilience in the healthcare sector. With ransomware attacks on healthcare providers becoming increasingly common, experts are calling for stricter regulations and greater investment in cybersecurity infrastructure to protect patient data.
Trust in healthcare providers’ ability to safeguard sensitive information has been severely compromised for nearly 190 million Americans affected by this breach.
As investigations continue, this unprecedented attack will likely prompt industry-wide reforms aimed at preventing similar incidents in the future.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
