UnitedHealth updates number of data breach victims to 190 million

The number of people impacted by last year’s ransomware attack on Change Healthcare has increased to nearly 200 million.

UnitedHealth, the company that owns Change Healthcare, provided an updated figure on Friday evening that was first reported by the Wall Street Journal.

In a statement, a UnitedHealth spokesperson told Recorded Future News that the estimated total number of individuals impacted by the cyberattack is now “approximately 190 million.” 

“The vast majority of those people have already been provided individual or substitute notice,” the company said, noting that the final number of those impacted will be confirmed and sent to the Department of Health and Human Services’ Office for Civil Rights “at a later date.”

In October, Change Healthcare, a healthcare technology company, updated filings with the federal government to warn that about 100 million people had information accessed. 

UnitedHealth did not respond to multiple questions about when the company first learned of the additional 90 million victims, how it determined the new number and what changed since the last update. HHS did not respond to requests for comment. 

UnitedHealth’s CEO previously told Congress that about one-third of all Americans had information processed in some way by the company because it handles about 1 in 3 medical records and processes about half of all medical claims in the U.S.

The company admitted in June that the hackers behind the incident likely accessed health insurance information, extensive personal health information like test results and images, financial and banking information as well as personal data like Social Security numbers.

But after completing more than 90% of its review of the data accessed and stolen, UnitedHealth claimed it found “no evidence” that materials such as doctors’ charts or full medical histories were exfiltrated.

In its statement on Friday, a UnitedHealth spokesperson said the company has “not seen electronic medical record databases appear in the data during the analysis.”

The company paid a $22 million ransom to the cybercrime gang behind the incident, but a dispute among them led to the data being posted on another group’s leak site. Since the attack occurred, Change Healthcare and UnitedHealth have spent months going through the stolen documents to see who needed to be notified. 

HHS told Change Healthcare in May that it would have to file breach notification letters to all victims on behalf of the thousands of affected hospitals, doctor’s offices, pharmacies and other facilities. 

“This ensures that the potentially millions of Americans, including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more, will understand the impact of this breach on their private medical records and their health care,” Melanie Fontes Rainer, director of HHS’s Office for Civil Rights (OCR), said last year.

While the company is still determining the full extent of the breach, so far it has confirmed that names, addresses, dates of birth, phone numbers, and email addresses were leaked to the hackers.

UnitedHealth said the attackers also likely accessed some combination of: 

Health insurance information such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers).Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment).Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due).Other personal information such as Social Security numbers; driver’s licenses or state ID numbers; or passport numbers.