Change Healthcare has revised the estimated number of individuals affected by its February 2024 ransomware breach to 192.7 million, nearly doubling its initial disclosure of 100 million victims.
The updated figure makes this incident the largest healthcare-related data breach in U.S. history.
The new number was submitted to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on July 31, 2025, as confirmed in an update to the agency’s FAQ page.
The breach, which stemmed from a ransomware attack orchestrated by the ALPHV/BlackCat group, exploited a Citrix portal lacking multi-factor authentication. Once inside, the attackers moved laterally across the network for nine days, exfiltrating sensitive data and ultimately deploying ransomware. The attack severely disrupted critical systems that underpin large segments of the U.S. healthcare infrastructure, including pharmacy claims processing, medical billing, and payment systems.
Change Healthcare, a core subsidiary of UnitedHealth Group (UHG), plays a pivotal role in the national healthcare system. The company handles billions of transactions annually and supports key clients such as Medicare, Tricare, and CVS-Caremark, making it a critical link in the administrative machinery of hospitals, pharmacies, and insurers. Any cybersecurity event affecting its systems can have cascading consequences across the entire healthcare ecosystem.
The latest figures indicate that nearly 57% of the U.S. population may have been impacted, with stolen data likely including personally identifiable information (PII) and protected health information (PHI) such as names, Social Security numbers, medical histories, insurance claims, and payment details. OCR continues to investigate whether a breach of unsecured PHI occurred and is assessing Change Healthcare’s and UHG’s compliance with HIPAA requirements.
As of October 2024, Change Healthcare reported having sent notifications to 100 million individuals. By January 2025, that number had risen to 130 million, with the company estimating at the time that approximately 190 million people were affected. The latest update brings the official estimate to 192.7 million, reflecting the results of continued internal investigations.
For affected individuals and organizations, the implications are substantial. Although UnitedHealth Group has offered to assume breach notification responsibilities on behalf of partners, the onus remains on covered entities to ensure HIPAA compliance. OCR has reiterated that the 60-day deadline to notify affected individuals does not begin until Change Healthcare or UHG provides sufficient breach details to its partners.
Leave a Reply