Skip to main content
close search
site logo
Dive Brief

UnitedHealth hikes number of Change cyberattack breach victims to 190M

The new estimate nearly doubles the company’s previous report of 100 million affected individuals, already the largest healthcare data breach ever reported to federal regulators.

Published Jan. 27, 2025
Emily Olsen's headshot
Reporter
UnitedHealth Group office
The massive cyberattack on UnitedHealth-owned Change Healthcare last year compromised the data of about 190 million people. Courtesy of UnitedHealth Group

First published on

Healthcare Dive

Dive Brief:

  • The massive cyberattack on Change Healthcare last year may have compromised the data of about 190 million people — more than half the U.S. population, according to an update from its parent company UnitedHealth on Friday.
  • The new estimate of affected individuals far surpasses Change’s previous tally. In October, the technology firm and claims processor said the ransomware attack exposed information from 100 million Americans, making it the largest healthcare data breach ever reported to federal regulators.
  • Change isn’t aware of any misuse of exposed data as a result of the breach, and hasn’t seen electronic medical record databases appear in its analysis of compromised information, a UnitedHealth spokesperson said.

Dive Insight:

The vast majority of the 190 million affected individuals have already been notified, either through individual letters or through the substitute notice published on the company’s website. Data exposed could include contact information, health insurance details, health information and billing and claims data, according to the notice.

The update comes weeks after UnitedHealth reported a significant financial hit from the Change cyberattack during an earnings call. The healthcare giant spent $3.1 billion responding to the attack in 2024, outstripping previous spending estimates.

The ransomware attack that hit Change in February last year set off weeks of disruptions for the healthcare sector. A group called AlphV, also known as Blackcat, claimed responsibility for the incident. UnitedHealth CEO Andrew Witty later confirmed the company paid a $22 million ransom in Bitcoin in an attempt to protect personal information after the attack.

Providers reported a range of financial and operational challenges during the outage, which hamstrung their ability to receive reimbursement for services, check patients’ insurance coverage and file prior authorization requests. Some practices worried they would fold if payments were held up for too long, leading both UnitedHealth and the CMS to set up financial assistance programs for providers after the attack. 

Lawmakers also raised concerns about the attack’s impact on the sector — and the potentially huge breach of Americans’ health data. In May, Witty told lawmakers the attack may have compromised the data of one third of people in the U.S.

Change’s review of compromised data is now substantially complete, according to a UnitedHealth spokesperson. The final number will be confirmed and filed with the HHS’ Office for Civil Rights at a later date.

Recommended Reading

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Americans Growing More Dependent on Digital Services, but Trust in Data Privacy Remains Low, N…
From Upwind
January 28, 2025
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
DNS4EU Achieves 2024 Milestones in EU Cybersecurity, Public Resolver Launch Set for 2025
From Whalebone
January 21, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.