UnitedHealth Now Estimates 190 Million Were Impacted by Cyberattack

UnitedHealth now estimates that 190 million people were impacted as a result of the cyberattack on its Change Healthcare unit last February—almost double previous estimates.

The attack disabled the company’s IT systems and affected treatment for months. It led to personal information like names, physical addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, as well as medical and financial data being compromised. The company began notifying impacted customers in July 2024.

“The vast majority of those people have already been provided individual or substitute notice,” said Tyler Mason, a spokesperson for UnitedHealth Group, in an email to TechCrunch, which first reported the updated numbers.

“The final number will be confirmed and filed with the Office for Civil Rights at a later date,” he added. Mason said he was “not aware” of “any misuse of individuals’ information as a result of this incident” and said the company has “not seen electronic medical record databases appear in the data during the analysis.”

Personal data captured in ransomware attacks—a type of cyberattack in which criminals encrypt a company’s data and demand payment to unlock it—is often sold on online black markets and used for identity theft, scam calls, and phishing emails.

The hack is thought to have been carried out by the Russian-speaking AlphV/BlackCat ransomware group, which used a loophole in remote-access Citrix software to gain access to the company’s systems and lock up its data for ransom. The attack is expected to cost UnitedHealth from $2.3 billion to $2.5 billion. It made at least one ransomware payment of roughly $22 million.

In December, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recommended that healthcare providers implement multi-factor authentication, encrypt patient data to safeguard it in case of a data breach, and undergo compliance checks to ensure their networks meet cybersecurity rules. It’s unclear if the Trump administration will pursue this.

Profits at UnitedHealth fell by more than a third in 2024, dropping from roughly $22.3 billion in 2023 to about $14.4 billion.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.

About Will McCurdy

Contributor

I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.

I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.

Read Will’s full bio

Read the latest from Will McCurdy