UnitedHealth tech hack impacted 190M people, 2x more than first reported


UnitedHealth Group (UHG) reveals the number of people impacted by last year’s breach of its tech subsidiary Change Healthcare was 190 million – nearly double the numbers initially reported.

UHG, one of the largest health insurance providers in the US, initially reported in 2024 that 100 million Americans were breached in the February 21st cyberattack.

However, late Friday, the health giant disclosed new figures showing that the number of people affected by the massive ransomware attack was much higher than initially reported.

ADVERTISEMENT

“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million, UnitedHealth spokesperson Tyler Mason said in a statement emailed to Cybernews on Monday.

Even with the revised amount, Mason noted that “the final number will be confirmed and filed with the Office for Civil Rights at a later date,” meaning the final number could actually be even higher.

Change revised numbers to 190M

Change Healthcare is responsible for servicing healthcare transactions (including insurance billing) for more than 85 million patients, or roughly 25% of the total US population.

The attack triggered a system-wide shutdown and left the industry reeling with pharmacy delays and healthcare providers unable to process insurance claims for weeks on end.

Sensitive health and personal data compromised in the breach included insurance information, social security numbers, driver's licenses and passports, billing, claims, and payment information, as well as medical record numbers, providers, diagnoses, medicines, test results, images, care, and treatment.

The UHG spokesperson told Cybernews on Monday the vast majority of the 190 million impacted “have already been provided individual or substitute notice.”

Mason further said in its statement that Change Healthcare was “not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis.”

ADVERTISEMENT

Largest and costliest attack ever

“Previous estimates suggested this attack impacted one in three Americans, but clearly these figures were a drop in the ocean in comparison with the reality,” said Simon Phillips, CTO of SecureAck.

“It now looks like one in two citizens were impacted, which undoubtedly turns the attack into the largest the world has ever experienced,” Phillips said.

vilius Paulius Grinkevicius Niamh Ancell BW Konstancija Gasaityte profile
Don’t miss our latest stories on Google News

Besides being the largest cyberattack in history due to the number impacted, it appears the estimated $2 billion in losses suffered by UHG, also making it one of the costliest.

“This is even despite the company apparently paying the ransom demand, twice,” Phillips noted.

The CTO is referring to a decision made by United Health Group’s CEO Andrew Witty, a few weeks into the devastating hack, to pay off its attackers $22 million in hopes of lessening the damage.

At the time, UHG estimated that more than 90% of the nation’s 70,000+ pharmacies were forced to either ‘modify or find offline workarounds for electronic claim processing’ to help alleviate hundreds of thousands of prescription backlogs, causing panic among patients who couldn't fill them.

The shutdown was also so severe the conglomerate and the US Department of Health and Human Services (HHS) had to create a temporary assistance program to help cash-strapped hospitals and small practitioners stay afloat while cyber experts tried to Change networks up and running.

Warning for other organzations

ADVERTISEMENT

The ransomware attack was said to be carried out by the Russian-linked ALPHV/BlackCat gang, who allegedly received the total $22 million payment from UHG.

Still, Phillips says there are “no guarantees criminals will stick to their word” when it comes to paying a ransom demand in exchange for your company’s data.

Change Healthcare cyberattack ALPHV/BlackCat750
Image by PostmodernStudio|Shutterstock | Cybernews

Phillips is right; a 2024 Hiscox ransomware report published this month reveals only 18% of companies that paid a ransom were able to recover all their data.

“Paying means an organization’s future lies in the hands of threat actors, which is a very dangerous position to be in,” Phillips explained.

Days after receiving the funds, ALPHV/BlackCat dropped off the dark web, ghosting its many affiliates in what security experts believe was a pre-planned exit strategy.

And, although it was never revealed how much data was stolen in the breach, one of those affiliates, RansomHub, claimed to have retained at least 4TB of sensitive data, further attempting to extort UHG for a second ransom demand.

United’s Change Healthcare attack “should act as a warning to other organizations,” he said.

In the end, “paying a ransom demand doesn’t equal exemption from the other costs and reputational damage associated with attacks,” said Phillips.

Instead, Phillips said companies “must adopt basic cyber hygiene practices, which includes applying MFA across all accounts.”

ADVERTISEMENT

They should also adopt a comprehensive backup process with automated recovery to ensure systems can be restored quickly. “This makes a ransomware attack more of a nuisance rather than a cause of destruction,” he added.

For more information and support resources on Change Healthcare’s recovery, click here.