top of page


  • Marijan Hassan - Tech Journalist

Change Healthcare reveals the medical data stolen in ransomware attack

Change Healthcare, a subsidiary of UnitedHealth Group has finally revealed the extent of the medical data stolen during the February ransomware attack that crippled the nation's healthcare payment system. The attack, attributed to the cybercrime group ALPHV/BlackCat, sent shockwaves through the industry, raising concerns about patient privacy and disrupting healthcare operations nationwide.

Worth noting is that UnitedHealth admitted to paying a ransom demand, allegedly $22 million to the BlackCat group. However, the group refused to split the payment with the actual group (affiliate) that conducted the attack.

As a result the affiliate never deleted the stolen data as promised, and instead began leaking some of it on the RansomHub data leak site. The affiliate is demanding an additional payment for the data not to be released.

Change Healthcare did not specify the exact number of individuals affected but wrote that a "substantial quantity of data" for a "substantial proportion of people in America" had been exposed in the attack. During a congressional hearing, UnitedHealth CEO Andrew Witty also stated that "maybe a third '' of all America's health data was exposed in the attack.

According to the company’s data breach notification, stolen data includes:

  • Patient demographics: Names, addresses, dates of birth

  • Medical history: Diagnoses, medications, procedures, test results, images

  • Insurance information: Policy numbers, provider details, plan, member/group ID numbers, Medicaid-Medicare-government payor ID number

  • Billing, claims, and payment information

  • Other personal information including Social Security numbers, driver’s licenses, state ID numbers, passport numbers

Change Healthcare emphasizes that they are still investigating the scope of the breach and are working to notify affected individuals. The company has also assured patients that they are taking steps to improve their cybersecurity measures to prevent similar attacks in the future.

"The review of personal information potentially involved in this incident is in its late stages. CHC is providing this notice now to help individuals understand what happened, let them know that their information may have been impacted, and give them information on steps they can take to protect their privacy, including enrolling in two years of complimentary credit monitoring and identity theft protection services if they believe that their information may have been impacted," the breach notification read.


bottom of page