The U.S. Department of Health and Human Services has confirmed that a data breach involving UnitedHealth has impacted 100 million individuals, marking it as the largest healthcare data exposure in U.S. history. The breach, attributed to the ALPHV/BlackCat ransomware group, began in February 2024 when the group targeted UnitedHealth's Change Healthcare platform, a critical payment processing system in the healthcare sector.
UnitedHealth's CEO, Andrew Witty, previously indicated that potentially a third of Americans' health information was compromised, but this recent update officially quantifies the breach's scale. The exposed data includes sensitive personal information, financial details, and medical records of millions of Americans.
The ramifications of this attack have been severe, disrupting billing and payment processing across the U.S. healthcare system, affecting hospitals, clinics, and medical practices that rely on Change Healthcare. Following the breach, UnitedHealth reportedly paid a ransom of $22 million to the attackers, but the group executed an 'exit scam,' taking the payment without returning the stolen data.
This incident not only raises concerns about the integrity of healthcare data but also highlights the risks posed by ransomware groups, which can splinter and escalate their demands. Victims are urged to remain vigilant against potential identity theft and fraud, particularly given the detailed information that may now be in the hands of malicious actors.
UnitedHealth has been contacted for comment but has not yet responded.