UnitedHealth identifies 190 million Americans affected by Change healthcare data breach

UnitedHealth has confirmed that a ransomware attack on its health care unit last February affected about 190 million people in the United States, nearly matching previous estimates.

The US health insurance giant confirmed TechCrunch's latest numbers on Friday after markets closed.

"Change Healthcare has identified the total number of individuals impacted by Change's CyberAttack to be approximately 190 million," UnitedHealth Group spokesman Tyler Mason said in an email to TechCrunch. "The vast majority of these individuals have been issued individual or substitute notices. Final numbers will be confirmed and submitted to the Office for Civil Rights at a later date."

A spokesman for UnitedHealth said the company "misused personal information as a result of this incident and did not see the electronic medical record database appear in the data during the analysis."

In February 2024, a cyberattack was the largest breach of medical data in U.S. history and caused outages across the U.S. health care system for months. Change Healthcare, a HealthTech giant and subsidiary of UnitedHealth, is one of the largest processors of health, medical data, and patient records; it is also one of the largest processors of healthcare propositions in the United States.

The data breach resulted in the theft of a large amount of health and insurance-related information, some of which was posted online by hackers claiming breach of duty. Change Healthcare subsequently paid at least two votes to prevent further release of the stolen documents.

UnitedHealth previously put the number of affected individuals at about 100 million when it submitted a preliminary analysis to the Office of Civil Rights, the arm of the U.S. Department of Health and Human Services that investigates data breaches.

Change Healthcare said in its data breach notification that cybercriminals stole names and addresses, dates of birth, phone numbers and email addresses, as well as government identity documents, including Social Security numbers, driver's license numbers and passport numbers. The stolen health data also included diagnoses, medications, test results, imaging, care and treatment plans, and health insurance information. The data also includes financial and banking information found in patient claims, the change said.

The breach was attributed to the Alphv ransomware gang, a prolific Russian cybercrime group. According to UnitedHealth Group CEO Andrew Witty's testimony to lawmakers, hackers broke into the change system using stolen account credentials that were not protected by multi-factor authentication.