In a significant and concerning development, the massive cyberattack on UnitedHealth Group’s technology subsidiary, Change Healthcare, has impacted a staggering 192.7 million individuals. This updated figure, now listed on the U.S. Department of Health and Human Services (HHS) Office for Civil Rights breach portal, marks a substantial increase from the company’s previous estimates and solidifies its place as the largest healthcare data breach in U.S. history.
The breach, which was first disclosed in February 2024, brought widespread disruption to the U.S. healthcare system, severely hampering claims processing and impacting patients and providers nationwide. The cybercriminals, identified as the Blackcat/ALPHV ransomware group, exploited a vulnerability in a remote access portal that lacked multi-factor authentication. They stole a massive amount of data, reportedly up to 6 terabytes, before deploying ransomware. The stolen data is believed to include sensitive information such as health insurance member IDs, patient diagnoses, treatment details, Social Security numbers, and billing codes.
While UnitedHealth Group reportedly paid a $22 million ransom to prevent the data from being leaked, the ransomware group allegedly pulled an “exit scam,” shutting down its operations without paying its affiliate. The stolen data was then passed on to another group, RansomHub, which also demanded a ransom payment. The incident has led to a wave of lawsuits against UnitedHealth Group and prompted investigations by federal agencies, including the HHS.
The financial fallout for UnitedHealth has been immense, with the company reporting billions in response costs and total impacts from the cyberattack. The prolonged outage of Change Healthcare’s systems also caused a severe cash flow crisis for many healthcare providers, with some pushed to the brink of closure. UnitedHealth Group has offered a temporary funding assistance program to help mitigate the financial strain on affected providers.
In response to the breach, Change Healthcare began mailing written notices to affected individuals in July 2024 and has provided resources such as free credit monitoring and identity protection services. The incident serves as a stark reminder of the vulnerabilities within the healthcare system and the critical need for robust cybersecurity measures.
