Change Healthcare says 100 million people impacted by February ransomware attack

Change Healthcare updated filings with the federal government to warn that about 100 million people had information accessed by hackers during a ransomware attack in February. 

The Department of Health and Human Services’s (HHS) Office for Civil Rights said Change Healthcare notified them on October 22 that “approximately 100 million individual notices have been sent regarding this breach.”

In June, the company admitted that the hackers behind the incident likely accessed health insurance information, extensive personal health information like test results and images, financial and banking information as well as personal data like Social Security numbers. 

The company also updated its filing in HHS’ breach notification portal to reflect the new 100 million figure. 

The notice this week followed a decision by HHS in May to allow Change Healthcare to file breach notifications on behalf of the thousands of organizations impacted by the ransomware attack — which crippled the U.S. healthcare system for months due to the company’s pivotal role in the processing of payments and prescriptions.

Change Healthcare’s CEO previously told Congress that about one-third of all Americans had information processed in some way by the company because it handles about one in every three medical records and processes about half of all medical claims in the U.S.

The ransomware attack, launched by a now-defunct gang taken down by law enforcement, has become one of the largest breaches in U.S. history. 

UnitedHealth, which owns Change Healthcare, said the attack caused $872 million in losses and in an April earnings call estimated the direct costs at $1 billion to $1.15 billion. 

The company paid a $22 million ransom to the hackers behind the incident. A dispute between the hackers led to the data being posted on another leak site. 

The incident has become illustrative of the national security implications of ransomware — leaking reams of sensitive healthcare information onto the dark web and causing outsized damage to hospitals, doctors and pharmacies that are still dealing with claims backlogs. 

Lawmakers have tried to use the incident as a way to push through new regulations governing cybersecurity minimum standards in the healthcare industry and some have even floated potential penalties for UnitedHealth leaders.