A ransomware attack against Change Healthcare last year exposed data on a record-breaking 190 million people, parent company UnitedHealth Group reported Friday.
That's 90 million more people than the company, which operates Change Healthcare through its Optum subsidiary, disclosed to federal regulators in October. It also amounts to 55% of the U.S. population. A cyberattack against Anthem (now Elevance Health) in 2015, which affected nearly 80 million people, was the previous record holder in the healthcare sector.
Related: Finding some good news after a bad year for cyberattacks
Most people have already been notified, a UnitedHealth Group spokesperson said Friday. The exposed data include names, contact information, Social Security numbers, claims, diagnoses, test results, health insurance member numbers and financial information, the company previously said.
“Change Healthcare is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis," the spokesperson said Friday.
Last February, a hacker collective known as BlackCat, ALPHV or Noberus allegedly accessed Change Healthcare systems and demanded a ransom from UnitedHealth Group, which the company eventually paid. In April, UnitedHealth Group CEO Andrew Witty acknowledged to Congress that the company failed to secure a Change Healthcare server with multifactor authentication, leaving it vulnerable.
The incident created chaos across the U.S. healthcare industry, underscoring Change Healthcare's central but mostly unseen role in billing, claims, prescriptions and other processes throughout the system.
UnitedHealth Group was forced to take Change Healthcare's systems offline following the breach, and spent months restoring them.
In the meantime, pharmacy transactions, claims processing, provider reimbursements, prior authorizations and other functions grounded to a halt. Some providers sought alternate vendors while others dealt with various workarounds UnitedHealth Group and the federal government facilitated. Change Healthcare’s main clearinghouse platform wasn't back up until November, and three products remain only partially available, according to the company.
The cyberattack cost UnitedHealth Group more than $2.4 billion last year.
