New information shows that the UnitedHealth data breach impacted nearly twice as many victims as previously reported.
In February 2024, Change Healthcare, a Nashville, Tennessee-based UnitedHealth subsidiary, suffered a ransomware attack, forcing the insurance giant to shut down some IT systems.
The shutdown disrupted healthcare operations across the country, preventing many providers from processing claims and payments or accessing data. Thousands of Change Healthcare clients, including pharmacies, dentists, hospitals, and “nearly all government and commercial payers,” were impacted.
UnitedHealth notified certain government agencies and launched an investigation involving law enforcement and third-party cyber forensics to determine the scope and impacts of the incident.
That probe determined that roughly 190 million customers were impacted, making it the worst healthcare breach in recent history, even though just over half of the victims were believed to have been impacted.
UnitedHealth data breach leaked extensive PII for an additional 90 million Americans
In June 2024, Change Healthcare notified 100 million UnitedHealth data breach victims that their personal information was compromised. On January 24, 2025, Change Healthcare confirmed that the UnitedHealth data breach impacted an additional 90 million, bringing the total number to 190 million,
“This breach on Change Healthcare was already the biggest-known ransomware breach to date even before the figure increased from 100 million to 190 million, according to our data,” said Rebecca Moody, Head of Data Research at Comparitech. “But this latest figure puts it way ahead of second-place MOVEit which saw nearly 96M records breached (at least) in its exploit in 2023.”
Extensive personal and health data leaked
According to a cybersecurity incident notice published on the company’s website, the UnitedHealth data breach leaked extensive personal information, including the victims’ first and last names, dates of birth, phone numbers, email addresses, and home addresses.
In some cases, the UnitedHealth data breach also leaked Social Security Numbers, financial and banking information, payment card information, driver’s licenses, and state ID numbers.
Similarly, health insurance information such as health plans, policies, insurance companies, member or group ID numbers, and Medicare and Medicaid payer ID numbers were also leaked in some cases.
The UnitedHealth data breach also leaked some patients’ health information, such as medical record numbers, healthcare providers, medical diagnoses, medications, test results, images, and care and treatment information.
Other details leaked for some patients included billing and claims information such as claim numbers, account numbers, billing codes, payments, and balance due.
Some information leaked in the UnitedHealth data breach related to the victim’s guarantors, making the incident far-reaching beyond the company’s customers.
UnitedHealth initially suggested that the cyber incident stemmed from a nation-state actor, but it was later determined to be a ransomware attack by the Russian cybercrime gang ALPHV/BlackCat.
The company paid $22 million to prevent the threat actor from leaking the stolen information online. So far, Change Healthcare has no evidence that the stolen patient information has been misused. Even if so, it could be difficult to associate the misuse of personal information with the UnitedHealth data breach.
Subsequently, victims should remain vigilant for any potential misuse of personal information associated with the UnitedHealth data breach that could go unnoticed. They should also be vigilant for potential phishing attacks exploiting the leaked personal information. Exposing medical information also puts the victims at risk of extortion by cybercriminals and exploitation by insurance companies.
“As this incident demonstrates, data breaches involving sensitive data, such as patients’ health insurance information, medical records, billing and payment information, as well as sensitive personal information, can have far-reaching implications,” said Piyush Pandey, CEO at Pathlock. “Currently, HIPAA does not strictly require healthcare organizations to enforce multi-factor authentication (MFA), however, the Change Healthcare ransomware attack clearly demonstrates how not having MFA greatly increases risk and can lead to disastrous consequences.”
Meanwhile, UnitedHealth has not explained why it initially undercounted the number of victims impacted by a whopping 90 million. However, the full impacts of a data breach become clearer with time, and UnitedHealth could discover more impacts even later.
“Determining the true impact of an attack of this scale often takes months or even years as organizations must uncover the full extent of data exposure, verify the accuracy of the breach reports and navigate evolving regulatory requirements. Threat actors complicate this, using sophisticated tactics to prolong detection and response times,” noted Darren Guccione, CEO and Co-Founder at Keeper Security. “This incident reinforces the importance of adopting proactive cybersecurity measures. Prioritizing robust encryption, a zero-trust architecture and employee training can minimize exposure to risks. A privileged access management solution is critical to protect access to an organization’s most sensitive assets.”