It's official: The massive cyberattack against UnitedHealth Group unit Change Healthcare was the biggest healthcare data breach in history.
The ransomware incident in February affected 100 million people, or nearly 30% of the U.S. population, according to the Breach Portal maintained by the Office for Civil Rights at the Health and Human Services Department. That's consistent with what CEO Andrew Witty told a House subcommittee in May, when he testified that the breach ensnared about one-third of the country.
Related: Record number of health data breaches reported in 2024
That makes the Change Healthcare cyberattack the largest ever recorded, surpassing a 2015 breach at Anthem (now named Elevance Health) that hit 78.8 million people, according to the Office for Civil Rights, which enforces privacy regulations.
In April, UnitedHealth Group said the crime, allegedly perpetrated by a ransomware collective called BlackCat (also known as ALPHV or Noberus), exposed personal information about a “substantial proportion of people in America.” In July, the company reported to the Office for Civil Rights that the cyberattack affected 500 people, the minimum number that mandates public disclosure.
The breach exposed information such as names, contact information, Social Security numbers, claims, diagnoses, test results, health insurance member numbers and financial data, UnitedHealth Group previously said. The company has been notifying victims since July.
UnitedHealth Group, which operates Change Healthcare through its Optum subsidiary, may update the 100 million tally as it carries on its investigation, according to a spokesperson. “We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved, and the review is in its final stages,” the spokesperson wrote in an email.
The cyberattack snarled the healthcare system, delaying care and financial transactions for months. UnitedHealth Group faces a bevy of lawsuits from the National Community Pharmacists Association and other plaintiffs, including some proposed class-action cases.
The incident sparked an HHS investigation, congressional scrutiny and questions about the downsides of healthcare consolidation related to UnitedHealth Group's acquisition of Change Healthcare in 2022.
The fallout continues at UnitedHealth Group. Last week, the company raised its estimate of the breach's cost to $2.2 billion. Moreover, the company disclosed that fewer customers are connected to Change Healthcare after they found alternate vendors. Change Healthcare still has not restored all of its systems.
Tim Broderick contributed to this story.
