The American insurance company UnitedHealth revealed that a cyberattack targeting its subsidiary, Change Healthcare, in February 2024, impacted approximately 190 million individuals—nearly double the initial estimates.
Company spokesperson Tyler Mason stated that most affected individuals have already been notified of the breach, with final data to be submitted to the Office for Civil Rights at the U.S. Department of Health and Human Services later.
UnitedHealth emphasized that, to date, there is no evidence of unauthorized use of the stolen information. A thorough data analysis also found no breaches involving electronic medical records.
The cyberattack marks the largest healthcare data breach in U.S. history, causing months of disruptions to the national healthcare system. Change Healthcare, one of the nation’s largest claims processing operators, manages an immense volume of patient data.
The hackers stole vast amounts of information, including names, addresses, birth dates, phone numbers, email addresses, and documents such as Social Security numbers, driver’s licenses, and passports. Additionally, medical data—diagnoses, test results, treatment plans, and insurance details—was compromised.
Some of the stolen data was leaked online. To prevent further exposure, Change Healthcare reportedly paid the attackers at least two separate ransoms.
Initially, the number of affected individuals was estimated at 100 million. However, after a more detailed investigation, this figure nearly doubled.
The attackers gained access to Change Healthcare’s systems using stolen credentials. UnitedHealth and Change Healthcare continue to collaborate with authorities to investigate the incident and implement measures to enhance cybersecurity.
