100 million people hit in largest healthcare data breach in history — medical info, SSNs and more

More than 100 million people had their personal information and healthcare data stolen in the massive UnitedHealth ransomware attack earlier this year, making it the largest healthcare data breach in the country.

After completing its investigation into February’s data breach, the US Department of Health and Human Services said this week that roughly a third of all Americans’ health data was exposed in the attack. The findings confirm UnitedHealth’s statement back in April that the attack exposed sensitive data for a “substantial proportion of people in America.”

In February, the ransomware hacking group ALPHV, also known as “BlackCat,” launched a cyberattack on UnitedHealth subsidiary Change Healthcare, causing months of unprecedented outages and disruptions in claims processing across the U.S. healthcare sector. Change Healthcare is one of the largest health payment processing companies in the world and works with leading insurance companies like Aetna, Anthem, Blue Cross Blue Shield, and Cigna.

“On October 22, 2024, Change Healthcare notified [the HHS’s Office for Civil Rights] that approximately 100 million individual notices have been sent regarding this breach,” reads an FAQ on the HHS website.

According to public notices the company pushed out in June, the stolen data includes: billing, claims, and payment information; medical information such as diagnoses, test results, and medical record numbers; health insurance information such as member/group ID numbers; and personal information such as Social Security numbers and driver’s licenses or state ID numbers.

UnitedHealth first reported the breach on February 21. Change Healthcare pushed out a data breach notification warning to users the next month. In June, the company issued a public notice as part of its requirement to notify the estimated one-third of the country impacted by the ransomware attack. The federal investigation is still in its final stages, UnitedHealth said in a statement, and the company will continue notifying potentially impacted individuals as quickly as possible.

In a May congressional hearing, UnitedHealth CEO Andrew Witty testified that the hacker group used stolen employee login credentials to breach the company’s Citrix remote access service. Crucially, the Citrix profile did not have multi-factor authentication (MFA) turned on, which opened the gates for hackers to remotely access the company’s network. Witty told lawmakers that the company has since updated its internal policies to mandate MFA following the cyberattack. UnitedHealth confirmed to Congress it paid the $22 million ransom demand to receive a decryptor under the agreement that the hackers delete the stolen data, but the data deletion never occurred. After receiving the payment, BlackCat pulled an exit scam and shut down its servers.

More from Tom’s Guide