Change Healthcare cyberattack affected 190 million

The impact of the Change Healthcare cyberattack appears to be even larger than anticipated, and that’s no small statement.

The Change Healthcare cyberattack appears to have affected 190 million people, according to a new estimate provided by UnitedHealth Group.

UnitedHealth Group, Change Healthcare’s parent company, now says the total number of individuals affected by the attack is about 190 million. That represents more than half of the U.S. population.

Initially, UnitedHealth Group said in October that the attack affected 100 million Americans, but its latest estimate is nearly twice that initial figure.

“The vast majority of those people have already been provided individual or substitute notice,” UnitedHealth Group said in a statement sent to Chief Healthcare Executive®.

TechCrunch reported the revised figure Jan. 24.

UnitedHealth Group said it is working to confirm the final figure and will report the final figure to the U.S. Department of Health & Human Services’ Office of Civil Rights. All health data breaches affecting more than 500 people are required to be reported to the health department.

The company said there’s no indication of theft or fraud involving the exposed data.

“Change Healthcare is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis,” UnitedHealth Group said in its statement.

Healthcare leaders and cybersecurity experts say the Change Healthcare attack has been the most disruptive cyberattack ever seen in the U.S. healthcare industry.

Nearly all U.S. hospitals and medical groups experienced financial losses from the attack, because Change Healthcare provides so many services to the industry, such as billing and pharmacy services.

UnitedHealth Group has also paid billions of dollars to providers that were affected by the attack. The company said it was the victim of a ransomware attack.

Lawmakers cited the Change Healthcare attack as evidence of the need to bolster cybersecurity in the health industry, and some lawmakers have pushed for minimum standards for organizations handling health data.

Hospitals have called for more funding to support cybersecurity in the health sector, but they have also pushed back against proposals that would impose fines for organizations deemed to be lax in security. Hospitals have argued they need more help and adding penalties to breaches would only pose more hardships.

• Read more: Cybersecurity panel: How hospitals can protect their patients and their systems

Some analysts have suggested that President Trump may recognize the need to offer more funding for cybersecurity for the healthcare sector and other critical industries. While Trump has pledged to cut federal spending, analysts suggest that bolstering cybersecurity would fit in with his aims of improving national security.

UnitedHealth Group has said a Russian ransomware group known as Blackcat claimed responsibility for the attack, and federal officials said the group has targeted healthcare organizations.

UnitedHealth Group CEO Andrew Witty told lawmakers in May that the company also paid $22 million to the group behind the attack.

While the Change Healthcare attack was historic, tens of millions of other Americans were affected by cyberattacks last year.

In 2024 alone, there were more than 500 breaches of health data affecting at least 500 Americans, and several of the top breaches affected millions.

• Read more: UnitedHealth cyberattack and more: The 10 biggest health data breaches of 2024