Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
Facepalm: UnitedHealth Group has confirmed that the ransomware attack on its subsidiary Change Healthcare last February impacted approximately 190 million individuals across the United States. This staggering figure is nearly double the previous estimate of 100 million people affected. The stolen data trove contains a wide range of personal and medical information.
The healthcare giant revealed the latest numbers in an email to TechCrunch on Friday evening.
"Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million," said Tyler Mason, a spokesperson for UnitedHealth Group. He added that the vast majority have already received individual notification or substitute notice about the breach.
Despite the sheer scale of the compromised personal data, UnitedHealth maintains there is no evidence of any misuse of individuals' information resulting from the incident so far. The company also claims it has not discovered any of the stolen electronic medical record databases appearing online during its analysis.
The massive data breach, which occurred in February 2024, is now regarded as the largest healthcare-related cyberattack in US history. It caused widespread disruptions and outages across the nation's healthcare system for several months. The enormity eclipses the previous healthcare data breach record holder from 2015 involving Anthem Inc., which impacted around 78.8 million individuals.
Change Healthcare, acquired by UnitedHealth in 2022, is one of the largest processors of medical claims and handlers of sensitive health data in the country. The stolen patient data includes names, dates of birth, contact details, government ID numbers such as Social Security numbers, medical diagnoses, test results, treatment plans, insurance information, and even financial data.
Investigators have attributed the attack to the notorious Russian cybercrime group ALPHV, also known as BlackCat. The hackers gained initial access using a stolen account credential that lacked multi-factor authentication security, according to UnitedHealth.
The ALPHV gang then deployed its powerful ransomware, encrypting Change Healthcare's data until ransoms were paid to prevent the information from being published online. However, even with the ransom being paid, some of the stolen data still ended up being leaked on the internet by the hackers.
The financial fallout has been severe. Profits for the company dropped by over a third in 2024, falling from around $22.3 billion in 2023 to approximately $14.4 billion last year. The projected total cost of recovery and remediation efforts is estimated to be between $2.3 billion and $2.5 billion.
Following the breach, the Office for Civil Rights within the US Department of Health and Human Services recommended that healthcare providers enhance security measures. This includes implementing multi-factor authentication, encrypting patient data, and conducting regular compliance checks to identify potential vulnerabilities.
The incident further illustrates how the healthcare sector remains the primary target for bad actors.
English (US) ·