UnitedHealth now says 190 million impacted by 2024 data breach
UnitedHealth has revealed that 190 million Americans had their personal and healthcare data stolen in the Change Healthcare ransomware attack, nearly doubling the previously disclosed figure.
In October, UnitedHealth reported to the US Department of Health and Human Services Office for Civil Rights that the attack affected 100 million people. However, as first reported by TechCrunch, UnitedHealth confirmed on Friday that the figure has nearly doubled to 190 million.
"Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million," UnitedHealth Group told TechCrunch.
"The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date."
While UnitedHealth says that there are no indications that the threat actors have misused the stolen data, the sheer quantity of sensitive information stolen in the attack is massive.
This stolen data includes patients' health insurance information, medical records, billing and payment information, and sensitive personal information, such as phone numbers, addresses, and, in some cases, Social Security Numbers and government ID numbers.
The ransomware attack on UnitedHealth's subsidiary, Change Healthcare, is the largest healthcare data breach in US history.
The Change Healthcare ransomware attack
In February 2024, UnitedHealth subsidiary Change Healthcare suffered a massive ransomware attack, leading to widespread disruption to the United States healthcare system.
This disruption prevented doctors and pharmacies from filing claims and pharmacies from accepting discount prescription cards, causing patients to pay full price for medications.
It was later learned that the BlackCat ransomware gang, aka ALPHV, was behind the attack. The threat actors used stolen credentials to breach the company's Citrix remote access service, which did not have multi-factor authentication enabled.
After breaching the network, the threat actors stole 6 TB of data and encrypted computers, causing the company to shut down IT systems and its online platforms for billing, claims, and prescription fulfillment.
The UnitedHealth Group later confirmed it paid a ransom to receive a decryptor and to prevent the threat actors from publicly releasing the stolen data. This ransom payment was allegedly $22 million, according to the BlackCat ransomware affiliate who conducted the attack.
This ransom payment was supposed to be split between the affiliate and the ransomware operators, but the BlackCat suddenly shut down in an exit scam, stealing the entire payment for themselves.

This is where it got worse for UnitedHealth, as the threat actor behind the attack stated that they did not delete the stolen data as promised.
The attacker then partnered with a new ransomware operation named RansomHub and began leaking some of the stolen data, demanding an additional payment for the data not to be released.
A few days later, the Change Healthcare entry on RansomHub's data leak site mysteriously disappeared, indicating that United Health likely paid a second ransom demand.
UnitedHealth said in April that the Change Healthcare ransomware attack caused $872 million in losses, which increased as part of the Q3 2024 earnings to an expected $2.45 billion for the nine months to September 30, 2024,
Meta's Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks
Ransomware gang uses SSH tunnels for stealthy VMware ESXi access
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner