UnitedHealth has confirmed that the February ransomware attack on Change Healthcare exposed the personal and healthcare data of over 100 million people, marking the largest healthcare data breach in recent years.
UnitedHealth has confirmed that over 100 million individuals had their personal and healthcare information stolen during a February ransomware attack on its subsidiary, Change Healthcare, marking the largest healthcare data breach in recent years. This confirmation, updated by the U.S. Department of Health and Human Services (HHS) on its data breach portal, quantifies the scale of the incident, demonstrating a significant exposure of sensitive medical and personal data in the U.S.
See also: HIPAA Compliant Email: The Definitive Guide
On February 21, 2024, Change Healthcare fell victim to a cyberattack that disrupted essential healthcare operations. “Initially suspected to be the work of a ‘nation-state associated cyber security threat actor,’ further investigations revealed the ransomware group BlackCat as the perpetrator of the attack,” writes Paubox. This incident led to delays in claims processing and revenue management services. In response, UnitedHealth Group allocated resources to minimize the impact by prioritizing access to care and medications. Initiatives were launched to provide funding support programs to ease short-term cash flow challenges.
On June 20, Change Healthcare announced a data breach, providing details about the cyberattack and the compromised data. The company also confirmed that it started notifying affected entities and plans to send individual breach notifications in late July.
According to Bleeping Computer, at a congressional hearing in May, UnitedHealth CEO Andrew Witty warned of the potential scale of the breach, stating that “maybe a third” of all Americans’ health data could have been compromised. Change Healthcare’s subsequent public statements confirmed that “substantial” amounts of data were compromised. On October 22, the Office for Civil Rights FAQ page confirmed that “approximately 100 million individual notices have been sent regarding this breach.” The continued ramifications of this incident make it one of the most significant healthcare data breaches on record.
The scale of data stolen in this incident is massive. Information includes health insurance data such as policy numbers and Medicaid/Medicare information, health data like diagnoses, test results, and treatment plans, as well as financial and payment information, including billing codes and account numbers. In some cases, sensitive personal identifiers like Social Security numbers and driver’s licenses were compromised.
The magnitude of the breach stresses the consequences of insufficient security protocols to protect patient data. The attack also shows how ransomware groups may not honor agreements to delete stolen data, exposing a critical flaw in the typical "pay-to-delete" arrangement that many victim companies rely on. Ransomware gangs operate outside of any legal or ethical framework, and victims have no guarantee that their sensitive data won’t still be leaked or sold.
Learn more: To pay or not to pay: Cyberattack ransoms in healthcare
A ransomware attack is a cyberattack where malicious software (ransomware) encrypts the victim’s data, making it inaccessible. The attacker then demands a ransom payment in exchange for a decryption key to restore access. Ransomware attacks often target businesses, healthcare providers, and government institutions.
Law enforcement and cybersecurity experts generally advise against paying ransom, as there’s no guarantee that the attackers will provide a working decryption key or delete the stolen data. Paying a ransom can also encourage further attacks and fund criminal activities. Many organizations instead focus on data recovery and cybersecurity enhancements post-attack.
Cybercriminals typically target organizations that hold valuable data or are essential service providers, such as healthcare, finance, or government sectors. They may also choose organizations that appear to have weak cybersecurity defenses or that may be more likely to pay a ransom to restore critical services quickly.