UnitedHealth Group has confirmed that a ransomware attack on its subsidiary, Change Healthcare, in February 2024 has impacted approximately 190 million Americans, nearly doubling the initial estimate of 100 million. This makes it the largest healthcare data breach in US history, far surpassing the 2015 Anthem Inc. breach which exposed 78.8 million records. The incident underscores the severe cybersecurity vulnerabilities within the healthcare sector, highlighting the immense risks associated with large healthcare organizations. Change Healthcare, a major player in healthcare technology, processes around 40% of all medical claims annually and handles a vast amount of sensitive patient and medical information.
The breach, attributed to the ALPHV, also known as Black Cat ransomware group, stemmed from compromised credentials on Citrix remote-access software due to a lack of multi-factor authentication. Sensitive data including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and medical records such as health insurance details, patient diagnoses, test results, and treatment information was stolen. The company reportedly paid $22 million in ransom to prevent further data leaks. While UnitedHealth states they have not found evidence of misuse, the scale of the breach and the sensitive nature of the compromised data remains concerning, especially with the attack resulting in 6TB of exfiltrated data.