Introduction
UnitedHealth Group (UHG) has confirmed a significant ransomware attack on its subsidiary, Change Healthcare [1] [2] [3] [4] [5] [6] [7], marking the largest healthcare data breach in US history [1] [5] [6] [7]. This incident has exposed sensitive information of approximately 190 million individuals, raising serious privacy concerns and highlighting the vulnerabilities within the healthcare sector.
Description
UnitedHealth Group (UHG) confirmed that a significant ransomware attack on Change Healthcare [1] [6], a subsidiary of UHG, occurred on February 21, 2024 [3] [7], impacting the data of approximately 190 million individuals—nearly double earlier estimates of around 100 million. This breach is now recognized as the largest healthcare data breach in US history [7], affecting nearly a third of the US population. The exposed sensitive information includes extensive health and insurance-related details such as names, addresses [5] [6], dates of birth [5] [6], phone numbers [5] [6], email addresses [5] [6], Social Security Numbers [2] [5] [6], driver’s license numbers [5] [6], passport numbers [5] [6], medical record numbers [5], diagnoses [5] [6], medications [2] [6], test results [5] [6], treatment details [5], billing and payment data [2] [5], including claim numbers and financial information, as well as personal information. UHG stated that it is not aware of any misuse of individuals’ information resulting from this incident [1], although the potential risks include identity theft and medical fraud, where cybercriminals could file fake insurance claims or access unauthorized medical services [2].
The attack, attributed to the BlackCat ransomware gang (ALPHV) [2], severely disrupted healthcare services [2], leading to significant outages across the healthcare system and challenges for patients in processing claims and paying for medications. UHG reportedly paid an initial ransom of $22 million to obtain a decryptor and prevent the public release of stolen data, but the attackers executed an exit scam [5], leaving their affiliates unpaid [5]. Subsequently [5], another ransomware group [4] [5], RansomHub [2] [5], claimed to have the stolen data and listed Change Healthcare as a victim [5]. This situation underscores the risks associated with paying ransoms [2], as it does not guarantee resolution and may lead to further exploitation [2]. The total costs associated with the breach have reached approximately $3.1 billion.
The majority of those affected have been notified [7], with notifications beginning in June following the incident. A final figure regarding the total number of impacted individuals will be reported to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) at a later date. The exposure of sensitive medical information raises significant privacy concerns [2], potentially resulting in profound personal and professional repercussions [2]. In light of the breach, the American Hospital Association has urged UHG to formalize breach notifications for providers and customers to enhance transparency and response efforts. Additionally, several health organizations have initiated lawsuits against UnitedHealth Group in response to the incident [4].
Conclusion
The ransomware attack on Change Healthcare has had far-reaching impacts, disrupting healthcare services and exposing sensitive data of millions. The incident underscores the critical need for robust cybersecurity measures in the healthcare sector. UHG’s response, including breach notifications and legal actions, highlights the importance of transparency and accountability. Moving forward, healthcare organizations must prioritize data protection to mitigate risks and safeguard patient information against future cyber threats.
References
[1] https://www.infosecurity-magazine.com/news/change-healthcare-breach-doubles/
[2] https://www.forbes.com/sites/alexvakulov/2025/01/27/unitedhealth-data-breach-escalates-190-million-americans-impacted/
[3] https://www.aha.org/news/headline/2025-01-27-reports-change-healthcare-cyberattack-exposed-data-190-million-people
[4] https://www.hcinnovationgroup.com/cybersecurity/data-breaches/news/55263828/change-healthcare-tallies-190-million-data-breach-victims
[5] https://www.malwarebytes.com/blog/news/2025/01/unitedhealth-almost-doubles-victim-numbers-from-massive-change-healthcare-data-breach
[6] https://finance.yahoo.com/news/unitedhealth-confirms-190-million-americans-231613767.html
[7] https://www.crn.com/news/security/2025/change-healthcare-breach-impacted-data-of-190-million-people-unitedhealth
