On October 24th, the U.S. Department of Health and Human Services Office for Civil Rights data breach portal updated the total number of people impacted by the UnitedHealth data breach to 100 million, marking the first time the company has officially quantified the breach’s scope. This confirmation cements the breach as the largest healthcare data exposure in U.S. history, underscoring the significant risks that cybersecurity incidents pose to sensitive patient information.
What Happened in the Change Healthcare Breach?
As reported by TechCrunch, the breach began in February 2024 when the ALPHV/BlackCat ransomware group targeted UnitedHealth’s Change Healthcare platform, a widely used payment processing system within the healthcare industry. The attackers deployed ransomware to disrupt operations and exfiltrated vast amounts of sensitive data. The compromised data included patients’ personal information, financial details, and medical records.
This attack had a cascading impact across the U.S. healthcare sector, disrupting billing, payment processing, and even delaying patient care. Change Healthcare is integral to the healthcare infrastructure, processing millions of payments annually, which means the breach affected not only UnitedHealth but also countless hospitals, clinics, and medical practices reliant on this platform.
The Largest-Ever Healthcare Data Breach in the U.S.
In a May congressional testimony, UnitedHealth’s CEO Andrew Witty revealed that potentially a third of Americans’ health information was exposed. However, the company’s recent disclosure has officially quantified the damage, with approximately 100 million people impacted. This scale of exposure marks it as the largest healthcare data breach ever recorded in the United States.
For context, 100 million records affect not only individuals directly but may also indirectly impact those linked through family records or provider networks. This breach underscores the high stakes in healthcare data protection, as medical data holds some of the most sensitive and valuable personal information.
Ransom Payment and the BlackCat Exit Scam
After ALPHV/BlackCat successfully compromised the Change Healthcare platform, UnitedHealth made the decision to pay a 22 million dollar ransom to the ransomware group to prevent further leaks and secure a return of stolen data. In a surprising turn, BlackCat executed what’s known as an “exit scam”—taking the ransom without honoring the agreement. The attackers vanished with the payment, leaving UnitedHealth and millions of Americans’ sensitive data still at risk.
This exit scam caused internal friction within BlackCat’s ranks, with the affiliate responsible for the breach breaking away to form its own group, which then reportedly demanded a second ransom. This development highlights the unpredictable nature of ransomware groups, whose criminal operations can lead to splintering, rebranding, and increased risks for victims.
How Stolen Healthcare Data Could Be Exploited
Imagine that a bad actor, armed with stolen healthcare data from the Change Healthcare breach, decides to target individuals affected by the attack. They have access to detailed information including names, dates of birth, medical records, addresses and even financial information linked to insurance and billing. Using this information, the attacker could carry out a multi-layered scheme:
- Medical Identity Theft: The attacker could use the stolen health data to file false insurance claims in the victim’s name. By posing as the victim, they could claim expensive medical procedures, prescriptions or equipment on the victim’s insurance, racking up fraudulent charges without the victim’s knowledge. The individual might only discover this when they’re denied coverage for legitimate medical expenses due to “previously maxed-out benefits” or when they receive unexpected bills for services they never received.
- Phishing Scams: Knowing the victim’s medical history, the attacker could send highly personalized phishing emails or calls, pretending to be a healthcare provider, insurance agent or even a pharmacy. For example, an email might state, “We noticed an issue with your recent prescription for —please click here to verify your insurance information.” Because the email mentions real details from the victim’s medical history, it appears credible, and the victim may unwittingly provide even more sensitive information such as Social Security numbers or payment details.
- Financial Fraud: With access to the victim’s financial data, including billing addresses and partial credit card or bank information, the attacker could attempt identity theft to open new lines of credit. This could damage the victim’s credit score and leave them with debts from unauthorized loans or credit card charges.
- Reputational Harm and Privacy Invasion: In some cases, medical records may contain sensitive information about diagnoses, treatments or mental health conditions. If this information is shared or sold on the dark web, it could lead to personal and reputational harm, especially if someone tries to use this information for blackmail or public disclosure.
What Patients Can Do to Protect Themselves
If you’re a patient affected by the breach, there are steps you can take to mitigate potential risks:
- Monitor Financial Accounts: Regularly check bank and credit card statements for suspicious charges. Setting up alerts for unusual activity can help quickly identify unauthorized transactions.
- Request a Credit Freeze or Fraud Alert: A credit freeze can prevent new accounts from being opened in your name. A fraud alert prompts creditors to take extra verification steps if someone tries to use your information.
- Watch for Medical Fraud: Review insurance statements and Explanation of Benefits forms for unfamiliar services. Report any unrecognized services to your insurance provider to prevent fraudulent claims or misuse of your medical benefits.
- Be Cautious with Personal Information: In the wake of a breach, be wary of unsolicited calls or emails asking for sensitive information, as scammers often target breach victims with phishing attempts.
- Consider Identity Theft Protection Services: Identity theft protection services monitor personal information and can alert you to potential misuse, helping to mitigate risks from breached data. These services often provide insurance or assistance in case identity theft does actually occur.
For victims, understanding these potential threats is key. Being alert for unusual medical charges, unexpected communications requesting additional personal information or irregularities on insurance statements or credit reports can help in spotting suspicious activity early. If something seems off, confirming directly with healthcare providers or financial institutions can prevent further harm and ensure their information remains protected.
UnitedHealth has been contacted for comment but has yet to respond.