UnitedHealth Group announced that the February 2024 cyberattack on its Change Healthcare division impacted approximately 190 million Americans, making it the largest medical data breach in U.S. history. This new figure nearly doubles the company's initial estimate of 100 million affected individuals.
The massive data breach occurred when the ALPHV ransomware group, a Russian language cybercrime organization, infiltrated Change Healthcare's systems using stolen login credentials that lacked multi-factor authentication protection.
The compromised information includes:
- Personal identification details (names, addresses, dates of birth)
- Contact information (phone numbers, email addresses)
- Government-issued documents (Social Security numbers, driver's licenses, passports)
- Medical records (diagnoses, medications, test results, imaging)
- Treatment information and care plans
- Health insurance details
- Financial and banking data from patient claims
Tyler Mason, UnitedHealth Group spokesperson, stated that most affected individuals have already received notification of the breach. The company reports no evidence of misuse of the stolen information or appearance of electronic medical record databases in their ongoing analysis.
The attack severely disrupted the U.S. healthcare system, causing months of outages across medical facilities nationwide. Change Healthcare, which processes a substantial portion of healthcare claims in the United States, reportedly paid multiple ransoms to prevent further publication of the stolen data.
The final tally of affected individuals will be submitted to the Office for Civil Rights at the U.S. Department of Health and Human Services at a later date.