Massive Healthcare Data Breach Exposes 100 Million Records

In a staggering revelation, federal legislators have confirmed that the massive data breach involving UnitedHealth, which occurred in February, has compromised the medical and personal information of an estimated 100 million individuals—approximately one-third of the entire American population—leaving sensitive data such as medical records, Social Security numbers, and other personal details vulnerable and raising significant concerns about privacy and security in the healthcare sector, marking it as the largest healthcare data breach in history.

In what has become the largest healthcare data breach in U.S. history, more than 100 million individuals had their personal information and healthcare data stolen in a massive ransomware attack on UnitedHealth earlier this year. The U.S. Department of Health and Human Services confirmed this week that approximately one-third of all Americans' health data was exposed during the attack, validating UnitedHealth's earlier statement about the significant impact of the breach.

The cyberattack was executed in February by the ransomware group ALPHV, also known as "BlackCat," targeting Change Healthcare, a subsidiary of UnitedHealth. This incident resulted in extensive outages and disruptions in claims processing throughout the U.S. healthcare system, affecting numerous insurance providers including Aetna, Anthem, Blue Cross Blue Shield, and Cigna. Change Healthcare is recognized as one of the largest health payment processing companies globally.

On October 22, 2024, Change Healthcare notified the Office for Civil Rights at HHS that it had sent approximately 100 million individual notices regarding the breach. According to public notifications released by the company in June, the compromised data included billing, claims, and payment information; medical details such as diagnoses, test results, and medical record numbers; health insurance information including member and group ID numbers; as well as personal identifiers like Social Security numbers and driver's licenses or state ID numbers.

UnitedHealth initially reported the breach on February 21, and Change Healthcare subsequently issued a data breach notification to affected users the following month. By June, the company was required to issue a public notice alerting the estimated one-third of the country impacted by the ransomware attack. Although the federal investigation into the breach is ongoing, UnitedHealth has stated that it is committed to notifying potentially affected individuals as swiftly as possible.

During a congressional hearing in May, UnitedHealth CEO Andrew Witty revealed that the hackers gained access to the company's Citrix remote access service by using stolen employee login credentials. Notably, the Citrix profile lacked multi-factor authentication (MFA), which allowed the hackers to exploit the system. In response to the attack, UnitedHealth updated its internal policies to require MFA.

The company also confirmed to Congress that it paid a $22 million ransom demand to obtain a decryptor, under the agreement that the hackers would delete the stolen data; however, the promised deletion did not occur. Following the payment, BlackCat executed an exit scam and shut down its servers, compounding the breach's severity and impact.