It’s official: Breach of Change Healthcare impacted 193M people
The final count is in for the number of people impacted by the February 2024 breach at Change Healthcare—and it exceeds all original estimates.
According to parent company UnitedHealthcare, 192.7 million individuals were exposed to imminent risk of data theft, sale or other mischief by the hackers. That figure represents more than half the U.S. population and nearly double the 100 million the company initially estimated.
The July 31 announcement comes as UnitedHealthcare confirmed the 18-month investigation into the data breach and subsequent ransomware attack is coming to a close. The insurance giant added that all breach notification letters have now been sent out, as the review of all data to determine the scope of the cyberattack is now complete.
One of the challenges was deduplicating records to get an accurate head count of the number of victims—something UnitedHealthcare said it wasn’t able to fully accomplish, meaning the 192.7 million figure is likely inflated.
"Change Healthcare and its vendors have made reasonable best efforts to deduplicate individuals included in the numbers being provided today," the company said. "However, despite those efforts, complete deduplication was not feasible."
The company said it faced challenges in notifying all individuals in some states, mainly New Hampshire. This was due to a lack of full addresses, likely caused by regional variations in how claims are filed through Change Healthcare.
"Change Healthcare has been mailing written letters on a rolling basis to potentially impacted data owners for whom Change Healthcare has sufficient address information," UnitedHealthcare wrote. "This notification process is now complete."
For about 1.3 million impacted people, UnitedHealthcare said it was not obligated to send breach notifications, as the associated healthcare entities opted to send them directly.
Lawsuits pending
Change Healthcare still faces multiple federal lawsuits from firms representing providers who suffered financial hardship due to the shutdown of claims processing stemming from the data breach. When hackers gained access and deployed ransomware on the Change Healthcare network, the company effectively shut down for months, leaving many doctors and healthcare organizations in limbo, unable to process medical claims for reimbursement.
Change Healthcare processes the vast majority of commercial medical claims in the U.S., including those for public officials and military personnel. After the cybercrime cell took control of the network, the company attempted to appease the criminals by paying the ransom.
However, a trove of data from the breach ultimately ended up for sale on the dark web, with RansomHub claiming credit for the attack. At the time, the group said it had data from “tens of insurance companies” and warned all Americans that it was likely in possession of their personal information.
The breach was blamed on a single legacy server at Change Healthcare that lacked multifactor authentication.
UnitedHealth's attempt to dismiss the lawsuits has failed, and it remains unclear what the outcomes will be.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.