UnitedHealth on Oct. 22 confirmed to the Department of Health and Human Services (HHS) that 100 million Americans were affected by the Change Healthcare breach in February, making it the largest healthcare breach on record.
In terms of actual records lost, the Change Healthcare breach is smaller when compared with the 2013 Yahoo breach, in which more than 3 billion accounts were hacked into, or the National Public Data hack in April 2024 where 2.9 billion records were affected.
HHS’s Office for Civil Rights (OCR) officially posted the news Oct. 24 on its data breach portal, the first time UnitedHealth formally confirmed the 100 million number. An updated FAQ on the OCR website said that UnitedHealth told OCR that 100 million individuals were sent letters about the breach.
Prior to this recent notification, when UnitedHealth CEO Andrew Witty testified to the Senate Finance Committee in May he told lawmakers that "maybe a third" of Americans' protected health information and personally identifiable information (PII) was stolen.
This past summer data breach notifications issued by UnitedHealth detailed the broad scope of the attack. Here are some of the highlights of information that was stolen:
- Health insurance information, such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
- Health information such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment.
- Billing, claims and payment information, such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due).
- Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.
Did UnitedHealth really need all that time to confirm?
This late date confirmation by UnitedHealth that more than 100 million individuals were affected in the February breach highlights the difference between business continuity and disaster recovery, said Toby Gouker, chief security officer at First Health Advisory. Gouker, an SC Media columnist, said it’s common for an organization to focus on “keeping the lights on” by running their business continuity playbooks.
“Once stability of operations has been secured in the first few weeks/months, they can then begin the arduous task of assessing/correcting the extent of the disastrous effects of the breach,” said Gouker. “With a sophisticated attack like this, where malicious actors often practice the art of obfuscation, it can take months/years to fully correct all the damage caused by an attack.”
Dan Ortega, security strategist at Anomali, added that the confirmation cycle for UnitedHealth is within the standard range for a regulated organization. UnitedHealth operates as a very large, very complex entity from a systems point of view, said Ortega, and the regulatory framework is equally large and complex.
“Considering all the variables and processes involved, the timeframe for confirmation seems within reason,” said Ortega. “However, this doesn’t mean that it’s acceptable from an operational efficiency or public safety standpoint. In an environment where threat actors move at machine speed, it’s going to be important to balance regulatory compliance with operational agility.”
Darren Guccione, co-founder and CEO of Keeper Security, said in large-scale breaches like the Change Healthcare incident, organizations need significant time to assess the scope and impact, especially when they’re handling the potential compromise of millions of records with sensitive data. Guccione said these investigations are often complex and require exhaustive data validation and coordination to confirm the exact number of people affected.
“Breaches of this nature highlight the importance of staying vigilant,” said Guccione. “By the time an organization confirms the breach – sometimes months after it occurred – and notified all of the parties affected, attackers may have already acted on the exposed information. That’s why proactive measures like following cybersecurity best practices and regularly checking for exposed credentials on the dark web can be essential.”
