The Change Healthcare data breach and ransomware attack that hit the UnitedHealth Group subsidiary in February 2024 was much larger than initially estimated, the company has revealed.
In a statement to The Cyber Express, a company spokesperson said “the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million.”
Previous estimates of the size of the Change Healthcare breach were around 110 million victims.
With the company’s investigation “substantially complete,” here’s where the investigation stands, including types of data exposed, next steps, and what victims can do to protect themselves.
Change Healthcare Breach Victim Count Nearly Finalized
The Change Healthcare statement said the “vast majority” of the 190 million victims have been notified.
When the investigation is complete, the final number will be filed with the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS).
One bit of hopeful news for victims: “Change Healthcare is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis.”
It’s not clear if the company is engaged in dark web monitoring to look for any patient data – which may have been exposed in the cyberattack – that might appear on cybercrime forums and marketplaces, but that’s one possible avenue of investigation the company may be pursuing. The company paid a $22 million ransom to the ALPHV/BlackCat ransomware group to try to get the data back, but not all of the data was recovered and the RansomHub group also tried to subsequently extort the company.
Change Healthcare’s HIPAA substitute notice page was updated recently to say that the investigation is “substantially complete” and the company “does not anticipate that it will identify any additional customers,” meaning that the “approximately 190 million” number likely won’t change once the final tally is calculated.
Patient Data May Have Leaked
Change Healthcare said information leaked in the breach typically includes contact information, date of birth, “and one or more of the following” types of information:
- Health insurance information
- Health information such as medical record numbers, providers, diagnoses, medicines, test results, images, and treatment information
- Billing and claims information
“For the majority of potentially affected individuals, Social Security numbers were not impacted, and except in rare instances, financial and banking information, payment cards, driver’s licenses or state ID numbers, or other ID numbers were not involved in this incident,” the HIPAA substitute notice said.
Some of the leaked information may be related to guarantors, or a person who agrees to pay the bill for health care services on behalf of the patient.
Next Steps for Breach Victims
Change Healthcare recommended a number of steps for victims to take:
- Enroll in two years of complimentary credit monitoring and identity protection services.
- Individuals should regularly monitor explanation of benefits statements “as well as bank and credit card statements, credit reports, and tax returns, to check for any unfamiliar activity,” and to notify providers, insurers and financial companies of any potentially fraudulent activity.
- If an individual believes they are the victim of a crime, they can also contact local law enforcement and file a police report.
Change Healthcare is directing affected individuals to changecybersupport.com for further information and resources.
Change Healthcare was just one attack in a difficult year for healthcare data breaches – a year that ended with a proposed new HIPAA Security Rule that could help improve healthcare cybersecurity if it gets finalized under the new U.S. Administration.
