Change Healthcare Breach Affected 100M People: UnitedHealth
‘Approximately 100 million individual notices have been sent regarding this breach,’ the U.S. Department of Health and Human Services says.
UnitedHealth Group disclosed that data belonging to an estimated 100 million individuals was impacted in the widely felt breach of Change Healthcare earlier this year.
The insurer had already said in June it believes sensitive patient medical data was exposed in the February attack. And during testimony at a U.S. House Of Representatives hearing on May 1, UnitedHealth Group CEO Andrew Witty said that “maybe a third” of all Americans were impacted in the attack.
[Related: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]
In an online update Thursday, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services updated the figure of impacted individuals.
“On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach,” the updated website said.
A Reuters report indicated this makes the Change Healthcare attack the largest U.S. healthcare breach to date.
Medical data stolen during the attack may have included “diagnoses, medicines, test results, images, care and treatment,” according to the data breach notification posted by Change Healthcare in June.
First disclosed Feb. 22, the Change Healthcare attack caused massive disruption in the U.S. health care system for weeks. The IT system shutdown initiated in response to the ransomware attack prevented many pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments.
The Russian-speaking cybercriminal group known by the names of Blackcat and Alphv claimed responsibility for the ransomware attack. Witty confirmed in his Congressional testimony in May that UnitedHealth paid a $22 million ransom following the attack.
Subsequently, a different cybercriminal gang, known as RansomHub, posted data it claimed was stolen from Change Healthcare.
UnitedHealth said in late April that data belonging to a “substantial proportion” of Americans may have been stolen in the attack against prescription processor Change Healthcare, a unit of the insurer’s Optum subsidiary.