UnitedHealth has confirmed the ransomware attack on its Change Healthcare unit last February affected around 190 million people in America — nearly double previous estimates.
The U.S. health insurance giant confirmed the latest number to TechCrunch on Friday after the markets closed.
“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” said Tyler Mason, a spokesperson for UnitedHealth Group in an email to TechCrunch. “The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”
UnitedHealth’s spokesperson said the company was “not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis.”
The February 2024 cyberattack is the largest breach of medical data in U.S. history and caused months of outages across the U.S. healthcare system. Change Healthcare, a health tech giant and UnitedHealth subsidiary, is one of the largest handlers of health, medical data, and patient records; it’s also one of the biggest processors of healthcare claims in the United States.
The data breach resulted in the theft of massive quantities of health and insurance-related information, some of which was published online by the hackers who claimed responsibility for the breach. Change Healthcare subsequently paid at least two ransoms to prevent further publication of the stolen files.
UnitedHealth previously put the number of affected individuals at around 100 million people when the company filed its preliminary analysis with the Office for Civil Rights, the unit under the U.S. Department of Health and Human Services that investigates data breaches.
In its data breach notice, Change Healthcare said that the cybercriminals stole names and addresses, dates of birth, phone numbers, email addresses, and government identity documents, which included Social Security numbers, driver’s license numbers, and passport numbers. The stolen health data also includes diagnoses, medications, test results, imaging, and care and treatment plans, as well as health insurance information. Change said the data also includes financial and banking information found in patient claims.
The breach was attributed to the ALPHV ransomware gang, a prolific Russian language cybercrime group. According to testimony by UnitedHealth Group’s CEO Andrew Witty to lawmakers last year, the hackers broke into Change’s systems using a stolen account credential, which was not protected with multi-factor authentication.
