UnitedHealth Group reported Jan. 24 that it determined the estimated total number of people impacted by last year’s Change Healthcare attack was nearly 190 million.
The news was considered significant because it was estimated by UnitedHealth in October that 100 million Americans were affected. With the most recent figures indicating that nearly twice as many people were affected further solidifies the UnitedHealth Group breach as being the largest healthcare breach in history.
UnitedHealth spokesperson Tyler Mason said the vast majority of the 190 million have already been provided “individual or substitute notice” in a statement emailed to SC Media.
“The final number will be confirmed and filed with the Office for Civil Rights [at HHS] at a later date,” said Mason. “Change Healthcare is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis.”
Despite the soft-pedal by UnitedHealthcare, the Jan. 24 update comes on the heels of its CEO, Brian Thompson, being shot and killed in December in New York City in broad daylight.
The media was filled with reports that pharmacies could not fill prescriptions, especially for Medicaid patients, after news of the Change Healthcare breach first broke in February 2024.
UnitedHealth CEO Andrew Witty testified in May at a Senate hearing on the breach, telling senators the company was providing credit monitoring for the affected patients. Sen. Ron Wyden, D-Ore., shot back: “Credit monitoring is the ‘thoughts and prayers’ of data breaches, this is absolutely inefficient.”
Piyush Pandey, chief executive officer at Pathlock, said the incident demonstrates that data breaches involving sensitive data — such as patients’ health insurance information, medical records, billing and payment information, as well as sensitive personal information — can have far-reaching implications.
HIPAA does not strictly require healthcare organizations to enforce multi-factor authentication (MFA), however Pandy said the Change Healthcare ransomware attack clearly demonstrates how not having MFA greatly increases risk and can lead to disastrous consequences.
“Lawmakers should introduce more stringent compliance requirements in this area, and not only require MFA, but also mandate that organizations invest in processes for proactive visibility into who has access to what, and implement continuous access controls monitoring so they can prevent such attacks from spreading across their entire organization,” said Pandey.
Darren Guccione, co-founder and CEO of Keeper Security, said the revelation that 190 million Americans were affected by the Change Healthcare ransomware attack is a stark reminder of the magnitude of modern cyber threats. Guccione said this update also underscores the complex and prolonged nature of investigating incidents like these.
“The sheer volume of sensitive personal and healthcare data stolen highlights the critical need for more robust cybersecurity measures across the healthcare sector,” said Guccione. “Determining the true impact of an attack of this scale often takes months, or even years as organizations must uncover the full extent of data exposure, verify the accuracy of the breach reports and navigate evolving regulatory requirements.”
Rebecca Moody, head of data research at Comparitech, added that the Change Healthcare breach was already the biggest-known ransomware breach to date even before the figure increased, according to our data. However, Moody said the latest figure puts it way ahead of the second-place MOVEit case, which saw nearly 96 million records breached (at least) in its exploit in 2023.
“In 2024, we tracked 236 confirmed ransomware attacks on companies operating within the healthcare sector across the globe,” said Moody. “These attacks breached 231,664,818 individual records, making it a record-breaking year for the number of records breached within any industry. We also noted an average ransom demand of $7.4 million across these attacks.”
