Previously, the largest health care data breach was recorded in 2015, impacting 78.8 million individuals. However, a new incident has significantly surpassed that figure.
This latest cyberattack has reached an alarming scale, affecting an unprecedented 100 million people, and it has targeted UnitedHealth Group, the world’s largest health care company by revenue.
The breach occurred in February 2024, following a ransomware attack that brought pharmacies across the nation to a standstill, according to initial reports from Reuters. The attack specifically targeted Change Healthcare, a subsidiary of UnitedHealth Group responsible for managing financial transactions for medical providers. Cybercriminals gained access to the Change Healthcare employee system due to insufficient multi-factor authentication for login credentials.
A statement from the U.S. Senate Committee on Finance described the devastating consequences of the breach, which included unfilled prescriptions, unpaid doctors and hospitals, and insurance companies unable to reimburse medical providers. Senator Ron Wyden (D-Oregon) remarked, “The Change Healthcare hack is regarded by many as the most significant cybersecurity disruption in American health care history.”
Approximately one-third of all U.S. citizens are somehow linked to Change Healthcare, which means a vast amount of personal information is at risk. The CEO of Change Healthcare noted that the compromised files included the personal health data of “a substantial proportion of people in America,” as reported by TechCrunch.
The attack has been attributed to the BlackCat ransomware hacking group, a claim confirmed by Change Healthcare. This Russian-based group later boasted on the dark web about stealing health and patient information from millions of Americans.
In a subsequent update, the U.S. Department of Health and Human Services revised the number of affected individuals in its data breach portal, revealing a staggering total of 100 million people. An industry publication even suggested that this figure might fluctuate, as covered by DailyMail. While this could indicate that the true number could be lower, it equally might rise.
The scale of this breach makes the recent incident affecting 5.3 million records in Mexican health care systems seem trivial by comparison.