UnitedHealth Now Estimates 190 Million Were Impacted by Cyberattack

UnitedHealth now estimates that 190 million people were impacted as a result of the cyberattack on its Change Healthcare unit last February—almost double previous estimates.

The attack disabled the company’s IT systems and affected treatment for months. It led to personal information like names, physical addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, as well as medical and financial data being compromised. The company began notifying impacted customers in July 2024.

“The vast majority of those people have already been provided individual or substitute notice,” said Tyler Mason, a spokesperson for UnitedHealth Group, in an email to News, which first reported the updated numbers.

“The final number will be confirmed and filed with the Office for Civil Rights at a later date,” he added. Mason said he was “not aware” of “any misuse of individuals’ information as a result of this incident” and said the company has “not seen electronic medical record databases appear in the data during the analysis.”

Personal data captured in ransomware attacks—a type of cyberattack in which criminals encrypt a company’s data and demand payment to unlock it—is often sold on online black markets and used for identity theft, scam calls, and phishing emails.

The hack is thought to have been carried out by the Russian-speaking AlphV/BlackCat ransomware group, which used a loophole in remote-access Citrix software to gain access to the company’s systems and lock up its data for ransom. The attack is expected to cost UnitedHealth from $2.3 billion to $2.5 billion, and it made two ransom payments to criminal groups, including one of roughly $22 million.

Legislators are trying to prevent disasters like this from happening again. Healthcare providers across the US may soon be forced to shore up their cybersecurity practices following new proposals from the US Department of Health and Human Services’ Office for Civil Rights.

This package of measures includes plans to force providers to use multi-factor authentication, something Change Healthcare did not have in place, according to CEO Andrew Witty’s testimony last year.

Profits at UnitedHealth fell by more than a third in 2024, dropping from roughly $22.3 billion in 2023 to about $14.4 billion.

About Will McCurdy

Contributor

I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.

I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.

Read Will’s full bio

Read the latest from Will McCurdy