Change Healthcare Breach Almost Doubles in Size to 190 Million Victims

The largest healthcare data breach on record just got even bigger, after UnitedHealth Group (UHG) confirmed that 90 million additional customers were impacted by a ransomware attack on Change Healthcare last year.

The firm said in a statement seen by Infosecurity that its original estimate of 100 million from October was short of the mark and that a final figure will be sent to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) at a later date.

UHG claimed still to be “not aware of any misuse of individuals’ information as a result of this incident, and has not seen electronic medical record databases appear in the data during the analysis.”

The parent company began mailing out breach notification letters on a rolling basis back in July 2024 following the February ransomware intrusion, and confirmed that the “vast majority” of those impacted had now been told.

Read more on Change Healthcare breach: US Government to Investigate Change Healthcare Ransomware Attack

The case itself was highly unusual in that the BlackCat ransomware group behind it received a $22m extortion payment from UHG, which it apparently pocketed to the exclusion of the ransomware-as-a-service (RaaS) affiliate involved.

That entity then worked with another group, RansomHub, in an attempt to extort Change Healthcare a second time.

Among the data thought to have been compromised are customer contact, health insurance and billing information, including card and banking details, Social Security numbers and driver’s license details.

The hackers are originally thought to have accessed this information after using compromised credentials to remotely access a Citrix portal which wasn’t protected with multi-factor authentication (MFA).

The previous largest healthcare breach recorded in the US came when nearly 79 million records were compromised at Anthem back in 2015. The health insurer only last year paid $16m to HHS in a HIPAA settlement.