UnitedHealth confirmed that the ransomware attack on its Change Healthcare unit last February affected about 190 million people in America, nearly double previous estimates.
The US health insurance giant confirmed the latest data to TechCrunch after the markets closed on Friday.
“Change Healthcare has determined that the estimated total number of individuals affected by the Change Healthcare cyberattack is approximately 190 million,” said Tyler Mason, spokesperson for UnitedHealth Group in an email to TechCrunch. “The vast majority of these people have already been provided with an individual or replacement notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”
The UnitedHealth spokesperson said the company was “not aware of any misuse of individuals’ information following this incident and did not see electronic health record databases appear in the data during the analysis.”
The February 2024 cyberattack represents the largest medical data breach in U.S. history and caused months of disruption to the U.S. healthcare system. Change Healthcare, a healthcare technology giant and subsidiary of UnitedHealth, is one of the largest managers of health, medical and medical data; it is also one of the largest healthcare claims processors in the United States.
The data breach resulted in the theft of massive amounts of health and insurance information, some of which was posted online by hackers who claimed responsibility for the breach. Change Healthcare subsequently paid at least two ransoms to prevent further publication of the stolen files.
UnitedHealth had previously estimated the number of people affected at about 100 million people when the company submitted its preliminary analysis to the Office for Civil Rights, the unit of the U.S. Department of Health and Human Services that investigates violations of the data.
In its data breach notification, Change Healthcare said cybercriminals stole names and addresses, dates of birth, phone numbers, email addresses and government identification documents, including Social Security numbers, driver’s license numbers driving license and passport numbers. Stolen health data also includes diagnoses, medications, test results, imaging, care and treatment plans, as well as health insurance information. Change said the data also includes financial and banking information found in patient claims.
The breach was attributed to the ALPHV ransomware group, a prolific Russian-speaking cybercrime group. According to testimony UnitedHealth Group CEO Andrew Witty gave to lawmakers last year, hackers broke into Change’s systems using stolen account credentials, which were not protected with multi-factor authentication.
