Feds make it official: Change data breach was the largest in healthcare history, impacting 100M

The February ransomware attack on Change Healthcare compromised the personal information of an estimated 100 million Americans, according to official numbers from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

That figure aligns with claims from the alleged hackers and statements from parent company UnitedHealth Group, whose CEO Andrew Witty told Congress in May that roughly one-third of individuals in the U.S. would be impacted. Change Healthcare is the largest medical claims processor in the country; most Americans have a record somewhere on its network, making it difficult to calculate a precise number of victims. 

Fallout from the February cyberattack has been extensive, with CMS responding by issuing emergency reimbursement for providers delivering care to Medicare beneficiaries. That program ended in July, days before Change Healthcare and UnitedHealth began notifying patients whose data was accessed by cybercriminals.

UnitedHealth estimated the breach cost it around $2.5 billion—and litigation is still pending. Groups representing providers and pharmacists have filed a lawsuit against the company, seeking damages for lost revenue as a result of a pause in reimbursement while the Change Healthcare network was down. 

The company's systems were breached as a result of a server that lacked multifactor authentication, Witty confirmed during the Congressional hearing. 

Black Cat, an infamous hacker group responsible for multiple healthcare data breaches, initially claimed credit for the incident. UnitedHealth confirmed it paid them a ransom to delete stolen data, reported by Reuters to cost roughly $22 million. 

However, after the alleged criminals were paid, Change Healthcare faced a second ransom from another cybercrime syndicate. The 100 million patient records, source codes from Change Healthcare systems, and more data from the breach were ultimately put up for sale on the dark web anyway.

The incident is officially the largest healthcare data breach in history, surpassing the 2015 attack on insurer Anthem. That event exposed 78.8 million records to hackers, according to data from HHS. 

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”