Getty Images
Change Healthcare data breach victim count rises to 190M
UnitedHealth Group previously said that the Change Healthcare data breach affected 100 million individuals, but new figures suggest the breach victim count has nearly doubled.
The Change Healthcare data breach victim count has risen to 190 million, UnitedHealth Group stated. The updated figure is nearly double the breach tally reported to regulators in July 2024.
"The vast majority of those people have already been provided individual or substitute notice," UnitedHealth Group stated. "The final number will be confirmed and filed with the Office for Civil Rights at a later date."
As previously reported, Change Healthcare suffered a cyberattack in February 2024 that led to widespread disruptions across the U.S. healthcare system. From independent physician practices to large hospital systems, the cyberattack against Change Healthcare affected the revenue cycle and operations significantly in the weeks and months following the incident.
BlackCat/ALPHV ransomware actors claimed responsibility for the cyberattack, in which they reportedly exfiltrated six terabytes of data. UnitedHealth Group later confirmed that it paid a $22 million ransom in an effort to recover system access.
As of Oct. 15, 2024, Change Healthcare's services were restored and the company was in the process of collecting repayments from providers who took advantage of Change Healthcare's temporary funding assistance program.
In December 2024, Nebraska Attorney General Mike Hilgers became the first state attorney general to file a lawsuit against Change Healthcare in the wake of the cyberattack.
When the breach victim count sat at 100 million, it was already the largest healthcare data breach reported to regulators in history. With the updated tally, the Change Healthcare incident has affected more than half of the U.S. population, expanding the scope of the breach significantly.
UnitedHealth Group said that it is not aware of any misuse of individuals' information as a result of the breach, and no electronic medical record databases have appeared in the affected data during its analysis of the incident.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
