Topics
More on Analytics

190 million people affected by Change Healthcare cyberattack

The figure of 190 million people has been amended from past estimates, which put the total at about 100 million.

Jeff Lagasse, Editor

Photo: HIMSS Media

Change Healthcare has confirmed that about 190 million people were affected by the 2024 cyberattack that caused upheaval in the healthcare industry, with the majority of those having already been notified.

UnitedHealth Group, Change's parent company, said in a statement that the final number will be filed with the Office of Civil Rights at a later date, after final confirmation.

"Change Healthcare is not aware of any misuse of individuals' information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis," a Change spokesperson said by email.

The February 21, 2024 cyberattack disconnected Change from claims payments for hospitals and physician practices, disrupting provider revenue and financial stability to the point of potential bankruptcy for some practices, the American Medical Association said last year.

WHAT'S THE IMPACT?

The figure of 190 million people has been amended from past estimates, which put the total number of impacted people at about 100 million. Either way, the data breach – which was confirmed to be ransomware – is the largest known breach at a HIPAA-regulated entity.

The previous record was set by Anthem in 2015 and affected 78.8 million individuals, according to the HIPAA Journal.

The breach had widespread effects. An April 2024 survey from the American Medical Association found more than three-quarters of physician practices experienced severe disruptions due to the cyberattack: 36% experienced suspension in claim payments, 32% were unable to submit claims, and 39% were unable to obtain electronic remittance advice.

Because of the claims issues, 80% of practices lost revenue from unpaid claims and 85% committed additional staff and time to complete revenue cycle tasks.

In May, UnitedHealth Group CEO Andrew Witty confirmed to Congress that he made the decision to pay $22 million in bitcoin ransom to protect the health information of patients.

UHG CFO John Rex said last April that the cyberattack was projected to cost between $1 billion and $1.5 billion in 2024.

THE LARGER TREND

UnitedHealth Group's Optum bought Change for $13 billion two years ago.

In December the Nebraska Attorney General filed a lawsuit against UnitedHealth Group and its Change and Optum subsidiaries, claiming the companies violated state laws on consumer protection following the cyberattack.

In the complaint, Nebraska AG Mike Hilgers said the data breach and subsequent operational shutdown exposed the PHI of what his office believes to be "at least hundreds of thousands of Nebraskans, if not over a million."

The lawsuit alleges a number of systemic failures, including outdated and poorly segmented IT systems that failed to meet enterprise security standards; an inadequate response to the breach, including the failure to detect unauthorized access for over a week, allowing hackers to establish themselves unnoticed inside Change's systems and access PHI; and delays in notifying consumers of the breach, with affected Nebraskans only beginning to receive notifications nearly five months after the breach was discovered.

Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.