UnitedHealth now says 190 million impacted by 2024 data breach

UnitedHealth has revealed that 190 million Americans had their personal and healthcare data stolen in the Change Healthcare ransomware attack, nearly doubling the previously disclosed figure.

In October, UnitedHealth reported to the US Department of Health and Human Services Office for Civil Rights that the attack affected 100 million people. However, as first reported by TechCrunch, UnitedHealth confirmed on Friday that the figure has nearly doubled to 190 million.

“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” UnitedHealth Group told TechCrunch.

“The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”

While UnitedHealth says that there are no indications that the threat actors have misused the stolen data, the sheer quantity of sensitive information stolen in the attack is massive.

This stolen data includes patients’ health insurance information, medical records, billing and payment information, and sensitive personal information, such as phone numbers, addresses, and, in some cases, Social Security Numbers and government ID numbers.

The ransomware attack on UnitedHealth’s subsidiary, Change Healthcare, is the largest healthcare data breach in US history.

The Change Healthcare ransomware attack

In February 2024, UnitedHealth subsidiary Change Healthcare suffered a massive ransomware attack, leading to widespread disruption to the United States healthcare system.

This disruption prevented doctors and pharmacies from filing claims and pharmacies from accepting discount prescription cards, causing patients to pay full price for medications.

It was later learned that the BlackCat ransomware gang, aka ALPHV, was behind the attack. The threat actors used stolen credentials to breach the company’s Citrix remote access service, which did not have multi-factor authentication enabled.

After breaching the network, the threat actors stole 6 TB of data and encrypted computers, causing the company to shut down IT systems and its online platforms for billing, claims, and prescription fulfillment.

The UnitedHealth Group later confirmed it paid a ransom to receive a decryptor and to prevent the threat actors from publicly releasing the stolen data. This ransom payment was allegedly $22 million, according to the BlackCat ransomware affiliate who conducted the attack.

This ransom payment was supposed to be split between the affiliate and the ransomware operators, but the BlackCat suddenly shut down in an exit scam, stealing the entire payment for themselves.

This is where it got worse for UnitedHealth, as the threat actor behind the attack stated that they did not delete the stolen data as promised.

The attacker then partnered with a new ransomware operation named RansomHub and began leaking some of the stolen data, demanding an additional payment for the data not to be released.

A few days later, the Change Healthcare entry on RansomHub’s data leak site mysteriously disappeared, indicating that United Health likely paid a second ransom demand.

UnitedHealth said in April that the Change Healthcare ransomware attack caused $872 million in losses, which increased as part of the Q3 2024 earnings to an expected $2.45 billion for the nine months to September 30, 2024,