In a devastating cyberattack, UnitedHealth-owned health tech company Change Healthcare has suffered the largest health data breach in U.S. history, with approximately 190 million people affected. The February 2024 ransomware attack has resulted in the theft of sensitive medical records and personal information, sparking widespread concern and outrage.

Change Healthcare, which processes billing and insurance for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector, confirmed in January 2025 that the data breach affects nearly 60% of the U.S. population. The company has begun notifying millions of individuals by mail that their personal and health information was stolen by cybercriminals, with a separate public notice published for those whose contact information could not be found.

The ransomware attack, attributed to the Russian-speaking ALPHV/BlackCat gang, was first reported on February 21, 2024, when Change Healthcare's billing systems and insurance claims processing were suddenly disrupted. The company invoked its security protocols, shutting down its entire network to isolate the intruders, causing widespread outages across the healthcare sector.

UnitedHealth later confirmed that the cyberattack was the work of a ransomware gang, with the ALPHV/BlackCat gang claiming responsibility and demanding a ransom. In a shocking turn of events, UnitedHealth paid a ransom of $22 million to the hackers, who then disappeared, leaving behind the stolen data. The U.S. government subsequently upped its bounty to $10 million for information leading to the capture of the ALPHV/BlackCat gang's leaders.

The data breach has sparked widespread disruption across the U.S. healthcare sector, with many unable to access their medical records or pay for healthcare services. The American Medical Association has expressed concern over the lack of information from UnitedHealth and Change Healthcare regarding the ongoing outages, causing massive disruption that continues to ripple across the healthcare sector.

UnitedHealth Group chief executive Andrew Witty testified before lawmakers, admitting that the hackers broke into Change Healthcare's systems using a single set password on a user account not protected with multi-factor authentication, a basic security feature that can prevent password reuse attacks. Witty said that the data breach was likely to affect about one-third of people living in America, a number that has since been revised to approximately 190 million.

The incident has raised serious concerns over the security of healthcare data and the potential consequences of paying ransoms to cybercriminals. Law enforcement agencies have long advocated against paying ransoms, as it allows criminals to profit from cyberattacks and can lead to further extortion.

In the aftermath of the breach, Change Healthcare has begun notifying affected individuals, with the U.S. Department of Health and Human Services reporting the updated number of affected individuals on its data breach portal. The incident serves as a stark reminder of the importance of robust cybersecurity measures and the need for vigilance in protecting sensitive healthcare data.

New details about the hack have emerged in a Nebraska lawsuit, including that the ALPHV hackers initially broke in using the stolen username and password of a "low-level customer support employee," which wasn't protected with multi-factor authentication. The lawsuit accuses Change Healthcare of having poorly segmented IT systems, which allowed the hackers to travel freely between servers once inside the company's firewall.

The full extent of the damage is still unclear, but one thing is certain – the largest health data breach in U.S. history has sent shockwaves across the healthcare sector, highlighting the need for urgent action to protect sensitive medical records and personal information.