100 million affected in worst U.S. health care data breach

Until now, the worst health care data breach occurred in 2015, which compromised 78.8 million people. But the ante has been upped.

The cyberattack in question has hit a new record of 100 million people affected — and just happens to have struck the largest health care company in the world (by revenue), UnitedHealth Group.

The actual incident happened in February 2024, when a ransomware attack caused disruptions at pharmacies all across the country, originally reported by Reuters. The target was Change Healthcare, a subsidiary of UnitedHealth Group that manages finances for medical providers. Cybercriminals reportedly found their way into the Change Healthcare employee system due to a lack of multi-factor authentication on login credentials.

A statement from the U.S. Senate Committee on Finance described the nightmarish results of the hack, which involved prescriptions going unfilled, doctors and hospitals not getting paid, and insurance companies unable to reimburse medical providers. “The Change Healthcare hack is considered by many to be the biggest cybersecurity disruption to health care in American history,” Sen. Ron Wyden, D-Oregon, said in the committee statement.

Approximately a third of all U.S. citizens are somehow connected to the organization, and that includes lots and lots of personal data. We all knew it was bad at the time, as the CEO of Change Healthcare said the stolen files included the personal health data for “a substantial proportion of people in America,” as reported by TechCrunch.

The attack was claimed to have been committed by the BlackCat ransomware gang, which was confirmed by Change Healthcare. A post on the dark web by the Russia-based group later claimed to have stolen the health and patient information of millions of Americans.

But now, the U.S. Department of Health and Human Services has updated the figure of those affected in its data breach portal to reveal just how bad it really is: a terrifying 100 million people. One industry journal even suggested that the round figure of 100 million could change in the future, as reported by DailyMail. Hopefully that means the actual number could be smaller, but it could just as easily go in the opposite direction.

The sheer scale makes the 5.3 million data breach that affected Mexican health care systems reported on just yesterday look negligible by comparison.