UnitedHealth Group has revealed that the number of individuals impacted by the Change Healthcare data breach resulting from a February 2024 ransomware attack is approximately 190 million. 

The healthcare technology giant previously reported that the incident impacted roughly 100 million people, making it the biggest healthcare data breach of 2024 by far. Now, the company estimates that 190 million individuals have actually been impacted by the cyberattack.

“The vast majority of those people have already been provided individual or substitute notice,” UnitedHealth told SecurityWeek in an emailed statement. 

“Change Healthcare is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis. Support resources and information are available at changecybersupport.com,” the company added.

The security breach occurred in February, when, according to UnitedHealth, cybercriminals used compromised credentials to enter a remote access portal that was not protected by multi-factor authentication.

The attackers, affiliates of the Alphv/BlackCat ransomware group, had access to the healthcare organization’s systems for nine days — in this time frame they moved laterally and exfiltrated sensitive patient data — before deploying file-encrypting malware.

UnitedHealth paid a $22 million ransom to prevent a data leak, but the BlackCat group pulled an exit scam to avoid sharing the ransom with the affiliate that conducted the attack.  

This led to another major ransomware group, RansomHub, attempting to extort the healthcare giant in April and publishing some of the stolen files. 

According to the most recent estimates made by Change Healthcare, the cyberattack had been expected to cause losses totaling nearly $2.9 billion. That amount may increase in light of the new revelations. 

Prior to Change Healthcare’s new impact estimation, the US Department of Health and Human Services’ Office for Civil Rights received information about more than 700 healthcare data breaches impacting roughly 186 million user records. However, with this new estimate, the total number of impacted records exceeds 275 million. 

Change Healthcare told SecurityWeek that “the final number will be confirmed and filed with the Office for Civil Rights at a later date”.

Related: US Offering $10 Million Reward for Information on Change Healthcare Hackers

Related: Major Addiction Treatment Firm BayMark Confirms Ransomware Attack Caused Data Breach

Related: Medical Billing Firm Medusind Says Data Breach Impacts 360,000 People