In February 2024, Change Healthcare, a leading health tech company and UnitedHealth subsidiary, experienced the largest breach of medical data in U.S. history. The breach, attributed to the notorious ALPHV ransomware gang, compromised the personal information of approximately 190 million Americans. Hackers penetrated Change's systems using stolen account credentials that lacked multi-factor authentication, leading to months of disruptions across the U.S. healthcare system.
The cyberattack exposed sensitive data, including names, addresses, dates of birth, phone numbers, email addresses, and government identity documents such as Social Security numbers, driver's license numbers, and passport numbers. Change Healthcare, a major handler of health and medical data, as well as a key processor of healthcare claims in the United States, faced significant challenges in addressing the breach.
UnitedHealth Group's CEO, Andrew Witty, testified to lawmakers about the breach, highlighting that hackers used a stolen account credential to access Change's systems. The attack led Change Healthcare to pay at least two ransoms in an effort to prevent further publication of the stolen files.
“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,”
Tyler Mason, a spokesperson for UnitedHealth Group
Initial estimates suggested that around 100 million people were affected by the breach. However, the final number confirmed nearly doubles this figure. Tyler Mason further elaborated on the company's response efforts.
“The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”
Tyler Mason, a spokesperson for UnitedHealth Group
The ramifications of this cyberattack extend beyond individual privacy concerns, as the breach caused significant outages within the healthcare system. These outages disrupted medical services and patient care nationwide for several months.
Change Healthcare's status as one of the largest handlers of health data and patient records in the United States underscores the severity of this breach. The incident highlights the critical need for robust cybersecurity measures in safeguarding sensitive healthcare information.
Leave a Reply