UnitedHealth Group revealed on Friday that a cyberattack targeting its technology subsidiary, Change Healthcare, exposed the personal information of approximately 190 million individuals. This incident ranks as the largest healthcare data breach in U.S. history.
Ransomware Attack Disrupts Claims Processing
Hackers from the “Blackcat” ransomware group carried out the attack, which UnitedHealth disclosed in February. The breach disrupted claims processing on a large scale, directly affecting patients and healthcare providers across the country.
UnitedHealth Revises Data Breach Impact
Initially, the U.S. Department of Health and Human Services (HHS) reported in October that the attack compromised the data of 100 million individuals. UnitedHealth later revised the figure to nearly 190 million, indicating the breach’s larger scope. The company plans to file the final numbers with the HHS Office for Civil Rights soon.
Change Healthcare Rules Out Data Misuse
Change Healthcare stated that it found no evidence of the stolen data being misused. “We have not identified any cases of misuse or the inclusion of electronic medical record databases in the analyzed data,” the company said. It also confirmed that it had notified most affected individuals through direct communication or substitute methods.
Breach Details and Compliance with HIPAA
The company publicly announced the breach in June 2023 to comply with the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, organizations must inform affected individuals about breaches involving personal data. Information compromised in the attack included health insurance member IDs, patient diagnoses, treatment details, Social Security numbers, and billing codes.
Response and Future Plans from UnitedHealth
UnitedHealth pledged to strengthen its cybersecurity measures to prevent similar incidents. The company assured customers and stakeholders that it is taking all necessary steps to safeguard their personal and medical information moving forward.
