UnitedHealth: 100 Million Impacted By Change Ransomware Attack

More than 100 million people were impacted by the Change Healthcare ransomware attack in February, making the incident the largest U.S. healthcare breach to date.

The Big Picture: On Oct. 22, Change Healthcare notified the U.S. Department of Health and Human Services Office for Civil Rights (HHS) that it had sent 100 million individual data breach notices, informing people that their personal and healthcare data had been compromised as part of the attack.

Previous statements haven’t pointed to an exact number of Americans impacted by the breach. In April, Change Healthcare officials said that attackers gained access to healthcare and personal information “which could cover a substantial proportion of people in America.” In May, Andrew Witty, CEO of UnitedHealth (Change’s parent company) said in a government testimony that the breach potentially impacted one-third of the U.S. population. 

The number of individuals impacted in the Change Healthcare attack is far higher than those impacted by breaches at other healthcare organizations in the HHS breach notification portal, which lists all incidents within the past 24 months that are currently under investigation. The organization with the second highest number of impacted individuals is Welltok, Inc., which was hit by a 2023 MOVEit Transfer data breach that affected 14.76 million.

The Background: Change Healthcare first detected the breach on Feb. 21 and later paid a $22 million ransom. In the wake of the attack, the organization struggled to bring its systems back online. The attack led to widespread issues at hospitals, pharmacies and healthcare providers, which rely on the company’s services for filling prescriptions, submitting insurance claims and receiving payments.

Further Details: More details about the ransomware attack have slowly trickled out over the past few months. Threat actors behind the attack gained initial access by using compromised credentials for a Citrix remote access portal that didn’t have MFA enabled. 

After determining that attackers stole personally identifiable information and healthcare data as part of the incident earlier this year, Change Healthcare started sending out data breach notification letters to impacted people in July.

The Upshot: The number of people impacted confirms just how incredibly widespread this attack has been. The sheer number of victims here highlights a big issue that U.S. government officials have been concerned about: Just how interconnected our public health and critical infrastructure systems are, and what that could mean should a security incident occur.