United Health Group has announced the final tally of individuals affected in the Change Healthcare data breach has reached 192.7 million, nearly double the company's initial December estimates.
United Health Group provided its final count of individuals affected in the February 2024 Change Healthcare cyber attack: 192.7 million people. The company completed its data review, determined the incident's scope, and finished mailing notification letters to affected individuals. Change Healthcare was attacked by the BlackCat ransomware group, disrupting patient care delivery and claims processing for months across the United States. The company faced challenges in reaching all individuals and acknowledged that complete deduplication was not feasible despite reasonable efforts. About 1.3 million affected individuals were connected with healthcare organizations that did not delegate breach notification responsibility to Change Healthcare. The incident call center, which opened June 20, 2024, will close August 26, marking the last day affected individuals can enroll in complimentary credit monitoring and identity protection services.
Change Healthcare processes approximately 15 billion claim transactions for hundreds of thousands of physicians, pharmacies and other healthcare providers. When lawmakers questioned former UHG CEO Andrew Witty weeks after the attack, he revealed the infiltration occurred in Change's oldest systems that had not yet been updated with multifactor authentication. Witty admitted Change paid a $22 million Bitcoin ransom after the attack and pledged to upgrade the subsidiary with cloud-based security. Witty later appeared before lawmakers again in December, defending UHG against consumer complaints about claims denials following the fatal shooting of UnitedHealthcare executive Brian Thompson at an investors conference in New York City.
"Change Healthcare and its vendors have made reasonable best efforts to deduplicate individuals included in the numbers being provided today," UHG said in its letter to states. "However, despite those efforts, complete deduplication was not feasible."
"Change Healthcare has been mailing written letters on a rolling basis to potentially impacted data owners for whom Change Healthcare has sufficient address information," UHG stated. "This notifications process is now complete."
"The review of personal information potentially involved in this incident is substantially complete," UHG said in the online HIPAA notice.
This breach affects nearly 200 million Americans, making it one of the largest healthcare data breaches in history. With Change Healthcare processing 15 billion transactions annually for hundreds of thousands of providers, this incident exposed the fragility of America's healthcare payment infrastructure and the widespread impact when a single point of failure occurs.
They exploited vulnerabilities in legacy systems that lacked multifactor authentication.
Change Healthcare paid $22 million in Bitcoin, reportedly to regain system access and halt further data exposure.
Smaller providers were especially affected due to greater reliance on Change Healthcare’s centralized systems.
Regulators may intensify scrutiny of third-party processors and require stronger security in legacy systems.