Cyberattack at UnitedHealth subsidiary Change Healthcare affected 100M Americans

Data recently posted on a federal website shows the cyberattack earlier this year at a UnitedHealth Group subsidiary affected 100 million patients — apparently a record in the U.S.

The tally roughly matches the scope previously described by company Chief Executive Andrew Witty, who suggested during congressional testimony in May that data for 1 in 3 Americans could be affected by the hack.

The data breach at United’s subsidiary, called Change Healthcare, is by far the largest breach currently showing on the federal website. This list, however, doesn’t include incidents from more than two years ago, a 2015 breach at health insurer Anthem Inc. that affected data for about 79 million patients.

“We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the review is in its final stages,” UnitedHealth Group said in a statement.

Minnetonka-based UnitedHealth Group owns UnitedHealthcare, the nation’s largest health insurer, and a fast-growing health services division called Optum, which acquired Change Healthcare for $13 billion in 2022.

Change Healthcare is involved in processing a large share of all health care claims and payments in the U.S. -- roughly 15 billion health care transactions annually, affecting one in three patient records, according to federal officials.

The cyberattack forced UnitedHealth Group to shut down Change Healthcare’s system for processing medical claims, which created financial problems for hospitals and clinics across the country. For a time, the outage also snarled pharmacy counters, with some patients saying they struggled to fill prescriptions.

Earlier this year, the federal government opened an investigation to determine if a breach of protected health information occurred and whether UnitedHealth Group and Change Healthcare were in compliance with federal privacy, security, and breach notification rules.

The U.S. Department of Health and Human Services, which maintains the data breach listing, did not immediately respond to questions about the post, which was reported Thursday by trade publication Modern Healthcare.

UnitedHealth Group first disclosed the cyberattack in February.

In May, when Witty told lawmakers the breach might have affected data for about one-third of all U.S. residents, the U.S. population stood at about 336 million, according to the U.S. Census Bureau.

The company started sending letters to patients about the hack in July and August, saying information ranging from health conditions to Social Security numbers may have been accessed.

UnitedHealth Group says it has repaired the impacted systems at Change Healthcare.

“We continue to work with customers to bring transaction volumes back to pre-event levels and to win new business with our now more modern, secure and capable offerings,” Chief Financial Officer John Rex said during a call with investors earlier this month. “We expect to continue to build back the business to pre-attack levels over the course of ‘25.”

The company estimated total financial impact for the company from the cyberattack, before adjusting for tax benefits, would be about $2.77 billion — up from a July estimate of up to $2.45 billion. After adjusting for tax benefits, the total financial hit could be about $2.24 billion, the company says.

The Federal Trade Commission offers a range of advice for people who have been affected by a data breach based on what type of personal information was exposed, at IdentityTheft.gov/databreach. Credit bureaus such as Experian also offer detailed advice on how to respond.

UnitedHealth Group is making available complimentary credit monitoring and identity protection services through IDX. To enroll, people can use the link at changecybersupport.com or call toll-free 888-846-4705. For additional support from Change Healthcare, consumers can call toll-free 866-262-5342.