In a stunning revelation, UnitedHealth has confirmed that a ransomware attack on its Change Healthcare unit last February affected a staggering 190 million people in the United States, nearly doubling previous estimates. The U.S. health insurance giant confirmed the latest number to TechCrunch on Friday after the markets closed.

The attack, which occurred in February 2024, is now considered the largest breach of medical data in U.S. history, causing months of outages across the U.S. healthcare system. Change Healthcare, a healthtech giant and UnitedHealth subsidiary, is one of the largest handlers of health, medical data, and patient records, as well as one of the biggest processors of healthcare claims in the United States.

The data breach resulted in the theft of massive quantities of health and insurance-related information, some of which was published online by the hackers who claimed responsibility for the breach. Change Healthcare subsequently paid at least two ransoms to prevent further publication of the stolen files. The stolen data includes sensitive information such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver's license numbers, and passport numbers.

The breach also compromised health data, including diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information. Furthermore, financial and banking information found in patient claims were also stolen. UnitedHealth previously put the number of affected individuals at around 100 million people when the company filed its preliminary analysis with the Office for Civil Rights, the unit under the U.S. Department of Health and Human Services that investigates data breaches.

According to Tyler Mason, a spokesperson for UnitedHealth Group, "Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million. The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date."

Notably, UnitedHealth's spokesperson said the company was "not aware of any misuse of individuals' information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis." However, the sheer scale of the breach raises significant concerns about the security of sensitive medical data and the potential consequences for those affected.

The incident highlights the vulnerability of healthcare systems to cyberattacks and the need for robust security measures to protect sensitive patient data. As the healthcare industry continues to grapple with the fallout of this massive breach, it remains to be seen what measures will be taken to prevent such incidents in the future.

In the meantime, the 190 million individuals affected by the breach will be left wondering about the security of their personal information and the potential consequences of this massive data breach. As the investigation continues, one thing is clear: the healthcare industry must take immediate action to address the glaring security gaps that allowed this breach to occur.