UnitedHealth has confirmed that the cyberattack on its subsidiary, Change Healthcare, last February impacted around 190 million people—almost double the initial estimate.
In a statement to TechCrunch on Friday, UnitedHealth spokesperson Tyler Mason clarified the new figure: “Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” Mason said. He added that most affected individuals have already been notified directly or via substitute notices, and a final tally will be submitted to the Office for Civil Rights (OCR) later.
Mason emphasized that UnitedHealth has not found any indication that personal information was misused following the breach, noting that no electronic medical records were involved in the compromised data.
The February 2024 attack, which remains the largest medical data breach in U.S. history, crippled parts of the U.S. healthcare system for months. Change Healthcare, a major player in health tech and one of the largest medical data processors in the U.S., was targeted in the breach, which resulted in the theft of vast amounts of health and insurance data.
The hackers, who claimed responsibility for the attack, published portions of the stolen data online. Change Healthcare, to prevent further leaks, reportedly paid at least two ransoms.
Initially, UnitedHealth estimated that the breach had affected around 100 million individuals. However, after further investigation, the company updated the figure, confirming a far larger scale of impact. The company had previously submitted its preliminary analysis to the OCR, a U.S. Department of Health and Human Services division responsible for investigating data breaches.
The breach exposed sensitive personal and health information, including names, addresses, dates of birth, contact details, and government-issued IDs such as Social Security numbers, driver’s licenses, and passport numbers. Data on medical diagnoses, medications, test results, imaging, treatment plans, and insurance details were also compromised. Even financial and banking data linked to patient claims were among the stolen information.
The cyberattack was attributed to the ALPHV ransomware group, a well-known Russian-speaking cybercriminal organization. According to testimony from UnitedHealth CEO Andrew Witty last year, the hackers gained access to Change Healthcare’s systems by exploiting a stolen account credential that lacked multi-factor authentication.
