UnitedHealth confirms ransomware attack exposed health data of 4.2 million patients, prompting federal cybersecurity probe
UnitedHealth confirmed that its Change Healthcare unit was hit by a ransomware attack in February 2024, exposing health data of about 4.2 million patients across its U.S. network. According to company officials, the attack, attributed to the ALPHV/BlackCat group, involved theft of protected health information and personally identifiable information, and UnitedHealth paid a $22 million ransom without recovering the stolen data.
The ransomware attack on UnitedHealth’s Change Healthcare unit, which occurred on Feb. 21, 2024, disrupted critical claims, billing, and prescription-processing systems nationwide, according to company officials and multiple reports. The incident, attributed to the ALPHV/BlackCat ransomware group, involved the theft of approximately six terabytes of data containing protected health information (PHI) and personally identifiable information (PII), sources confirmed. UnitedHealth disclosed that about 4.2 million patients had their health data exposed in the breach, though other estimates tied to the broader incident have ranged as high as 190 million people, or roughly one-third of the U.S. population, according to congressional testimony and external reporting.
UnitedHealth CEO Andrew Witty testified before lawmakers in May 2024 that the company paid a $22 million ransom in Bitcoin to the attackers but did not recover the stolen data, a fact confirmed in public disclosures and congressional hearings.
The ransom payment and lack of data recovery have fueled ongoing scrutiny from federal agencies, including the U.S. Department of Health and Human Services (HHS), which is investigating the breach, according to sources familiar with the probe. The House Energy and Commerce Committee has also conducted hearings to examine the circumstances of the attack, the adequacy of cybersecurity protections at Change Healthcare, and the scope of the data exposed.
The cyberattack caused widespread operational disruptions across the U.S. healthcare network, delaying prescriptions, claims processing, and provider payments, officials said. The attack’s impact extended beyond UnitedHealth, affecting hospitals, pharmacies, and other healthcare providers that rely on Change Healthcare’s systems for critical payment and eligibility functions. The American Hospital Association described the event as the most significant cyberattack on the U.S. healthcare system to date, underscoring the systemic risks posed by breaches of centralized service providers.
Financially, UnitedHealth has faced substantial costs related to the incident. Reports indicate that the company incurred approximately $870 million in response and recovery expenses during the first quarter of 2024, with projected annual costs ranging between $1.4 billion and $1.6 billion. These figures include remediation efforts, legal fees, and operational disruptions. Multiple class-action lawsuits have been filed against UnitedHealth and Change Healthcare, alleging violations of the Health Insurance Portability and Accountability Act (HIPAA) due to the exposure of sensitive patient data, legal experts said.
Congressional criticism has focused on whether Change Healthcare employed adequate cybersecurity measures, including multifactor authentication (MFA), which is considered an industry best practice. Lawmakers and industry analysts have emphasized that the breach highlights vulnerabilities in third-party vendors that handle vast amounts of healthcare data, raising concerns about the security of the broader healthcare ecosystem. Testimony revealed that some of the stolen information may have been posted or threatened for release on dark web platforms, increasing the risk of further exploitation.
The data stolen in the attack included health records used for claims processing, billing, and patient eligibility verification, according to UnitedHealth disclosures and investigative reports. The breach not only compromised personal and medical information but also disrupted the flow of healthcare payments and services nationwide. UnitedHealth’s public statements and congressional testimony made clear that the incident was not limited to operational disruption but involved significant data exfiltration, marking it as one of the largest healthcare data breaches on record.
The federal cybersecurity investigation and ongoing legislative oversight aim to assess the causes and consequences of the attack, as well as to develop strategies to prevent similar incidents. Industry groups have called for enhanced security standards and greater accountability for third-party healthcare service providers. Meanwhile, UnitedHealth continues to manage the fallout from the breach, including notification efforts to affected patients and coordination with federal regulators. The incident has intensified national discussions about ransomware response strategies, including the implications of paying ransoms and the challenges of data recovery following cyberattacks.
