Skip to main content
close search
site logo
Dive Brief

Change Healthcare data breach officially affects 100M people

The breach is the largest ever reported to a portal managed by federal regulators.

Published Oct. 25, 2024
Emily Olsen's headshot
Reporter
UnitedHealth Group office
A data breach after the massive cyberattack at Change Healthcare may have exposed information from 100 million people. Courtesy of UnitedHealth Group

First published on

Healthcare Dive

Dive Brief:

  • The massive Change Healthcare cyberattack could have compromised data from 100 million people — the largest healthcare data breach ever reported to federal regulators. 
  • The ransomware attack on the UnitedHealth-owned technology firm surpasses the previous record, a 2015 data breach at Anthem, now Elevance Health, that exposed information from 78.8 million Americans, according to a portal run by the Department of Health and Human Services’ Office for Civil Rights.
  • Questions have also swirled for months about the potentially huge data breach, given Change’s role as a major medical claims processor that handles billions of claims each year. UnitedHealth CEO Andrew Witty estimated before Congress in May that one-third of individuals in the U.S. could be impacted by the breach. 

Dive Insight: 

Change was hit by a ransomware attack in February, causing weeks of disruptions for the healthcare industry. 

Providers reported challenges checking patients’ insurance coverage, filing prior authorization requests, and receiving payments for their services — raising concerns some practices could fold without an influx of cash. The CMS and UnitedHealth stood up financial relief programs for providers struggling to collect reimbursements during the outage.

Responding to the cyberattack has cost UnitedHealth too. Earlier this month, the healthcare giant said it has recorded $2.5 billion in total impacts from the attack through the nine months ended Sept. 30, including $1.7 billion in direct response costs.

Change began notifying its customers if their members’ or patients’ data was impacted in June, and started to send letters to affected individuals in July. 

The company is in “regular communication” with the HHS, OCR and other regulators regarding the notification process, a UnitedHealth spokesperson told Healthcare Dive.

“We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages,” the spokesperson said in an email.

The breach report from Change comes as data breaches in the healthcare industry affect more Americans and expose sensitive health data. During an interview at the HLTH conference earlier this week, OCR Director Melanie Fontes Rainer said about 140 million people were affected by large breaches in 2023, up from 51 million in 2022.

“And this year, with both the Change breach and Ascension breach, we expect that number to potentially double or go higher,” she said.

Change incident outstrips other breaches in 2024

Data breaches reported to OCR this year affecting more than one million people

Recommended Reading

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell