100 Mn Americans Impacted in Change Healthcare Cyberattack, OCR Confirms

The breach, which occurred in February, is among the largest in the healthcare sector’s history, impacting around one-third of the U.S. population.

UnitedHealth Group recently confirmed that a cyberattack targeting its subsidiary, Change Healthcare, affected approximately 100 million Americans, according to an update from the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

The recent breach is among the largest in the healthcare sector’s history, impacting around one-third of the US population.

The cyberattack was orchestrated by hackers associated with the BlackCat (ALPHV) ransomware group, who exploited stolen credentials to breach a Change Healthcare server that lacked two-factor authentication. Once inside the system, the hackers extracted extensive data before deploying ransomware.

UnitedHealth disclosed the breach initially in July, but the full extent of those affected was confirmed only recently.

The company began notifying impacted individuals and organizations in June as part of its compliance with the Health Insurance Portability and Accountability Act (HIPAA).

UnitedHealth Faces $2.45 Bn in Losses

The breach has posed severe financial challenges for UnitedHealth. In a hearing before legislators in May, UnitedHealth CEO Andrew Witty noted that their data analysis indicated a third of Americans were affected by the attack.

He outlined the significant expenses tied to recovery, estimating costs related to the breach at $2.45 billion as of the third quarter of 2024.

Witty expressed concern over the data breach’s magnitude, stating, “We continue to prioritize the protection and security of healthcare data for those affected by this unfortunate incident.”

He added that UnitedHealth was focused on implementing stricter cybersecurity protocols to avoid future breaches and protect sensitive data.

The OCR emphasized that the Change Healthcare breach underscores urgent cybersecurity needs across healthcare networks, with experts advocating for robust security measures such as two-factor authentication, which was missing on the compromised server.

As the healthcare sector faces heightened risks from cyber threats, this incident serves as a critical reminder of the sector’s vulnerabilities and the need for ongoing security investment.

UnitedHealth’s financial and operational recovery from this breach remains a focal point as it moves forward in addressing security gaps and ensuring improved protection for patient information.