The cyberattack on Change Healthcare, first detected in February 2024, has grown into what appears to be the single largest exposure of personal health data in American history. UnitedHealth Group, the parent company of Change Healthcare, has estimated that approximately 190 million people were affected by the breach, a figure that dwarfs every prior federal data incident on record. The scale of the compromise, the simplicity of the initial intrusion, and the cascading disruption to medical billing and pharmacy systems across the country have forced a reckoning over how the nation’s largest health conglomerate secures the data of more than half the U.S. population.

How a Single Missing Safeguard Opened the Door

The breach began with a failure so basic it stunned congressional investigators. UnitedHealth Group CEO Andrew Witty told the Senate Finance Committee that attackers gained remote access to Change Healthcare systems through a Citrix portal that lacked multifactor authentication. That single missing layer of security allowed intruders to move laterally through internal networks, exfiltrate sensitive data, and ultimately deploy ransomware nine days after the initial compromise. The timeline between entry and encryption was remarkably short, suggesting the attackers already knew what they were looking for and had a clear plan for monetizing the intrusion.

UnitedHealth contacted the FBI after discovering the intrusion and, according to reporting from the Associated Press, paid a $22 million ransom to regain control of its systems. Witty framed the payment as a protective measure during his testimony, arguing that the company faced an urgent need to restore critical health infrastructure. The decision to pay nevertheless drew sharp criticism from lawmakers who warned it would incentivize future attacks and underscored how a company processing roughly a third of all U.S. health claims could leave a critical access point unprotected. For many senators, the absence of multifactor authentication on such a sensitive portal was less a technical oversight than a governance failure.

190 Million People and a Rising Count

The true scope of the breach emerged in stages, each update more alarming than the last. Change Healthcare initially reported sending approximately 100 million breach notification letters as of October 22, 2024, according to guidance from the HHS Office for Civil Rights. By January 24, 2025, the company revised its estimate to approximately 190 million impacted individuals. That figure represents more than half the U.S. population, making the incident far larger by affected individuals than any previously recorded American data breach and raising questions about how many people even realize their information may now be in criminal hands.

To put that number in perspective, the 2015 breach of the Office of Personnel Management, long considered the benchmark for catastrophic federal data loss, affected approximately 21 million people, as documented in a House Oversight report. The OPM hack exposed background investigation files, fingerprints, and Social Security numbers of federal employees and contractors. The Change Healthcare breach involves a different but equally sensitive category of information: health records, insurance details, and payment data tied to everyday doctor visits, prescriptions, and procedures. For the individuals caught up in it, the exposure creates a dual risk of financial fraud and medical identity theft, a combination that can take years to detect and untangle, especially when fraudulent medical histories are mixed into legitimate records.

Why This Breach Differs from SolarWinds and OPM

Previous large-scale cyber incidents targeted government infrastructure or software supply chains rather than a single commercial hub that sits in the middle of routine care. The SolarWinds campaign, described by the Government Accountability Office as one of the most widespread and sophisticated hacking operations ever conducted against federal networks, was primarily an espionage effort. Its damage was measured in compromised agencies and sensitive government communications rather than in the number of ordinary Americans whose personal data was exposed. The OPM breach, while devastating for the people it touched, was also contained to a defined population of government workers and their contacts.

The Change Healthcare hack is different because it struck a commercial chokepoint that underpins much of the private health system. Change Healthcare processes claims, prescriptions, and payment transactions for a vast network of hospitals, pharmacies, and insurers. When the ransomware locked those systems, the disruption was immediate and nationwide, delaying prescription fills and stalling provider payments for weeks. UnitedHealth Group provided financial assistance to affected providers during the outage, according to Witty’s testimony, but smaller practices and rural pharmacies reported severe cash flow problems as reimbursements slowed or stopped. The breach exposed a structural vulnerability: concentrating so much of the health system’s transaction processing in a single company means a single point of failure can ripple across the entire sector, interrupting care even for patients whose data may never have been directly touched by the attackers.

Regulatory and Legal Fallout Is Still Building

UnitedHealth Group filed a detailed Form 8-K with the Securities and Exchange Commission disclosing the incident, with the earliest event reported as February 21, 2024. Witty also submitted written responses to follow-up questions from the Senate Finance Committee, attempting to explain the company’s security posture before the attack, its incident response decisions, and its evolving breach notification process. Reporting from the Wall Street Journal indicates that the stolen data includes sensitive health and payment information, reinforcing concerns that the exposed records could fuel coordinated fraud schemes and targeted scams for years to come.

Regulators and lawmakers are signaling that the Change Healthcare incident will not be treated as an isolated event but as a test case for how aggressively the government will police cyber risk in critical health infrastructure. The Department of Health and Human Services’ civil rights office has emphasized that covered entities and their business associates remain responsible for safeguarding protected health information even when it flows through complex vendor networks. On Capitol Hill, members of both parties are pressing for clearer requirements around multifactor authentication, network segmentation, and rapid breach notification. The incident is also likely to feature prominently in future oversight work by committees such as the House Oversight panel, which has previously examined large federal data breaches and may look to extend similar scrutiny to dominant private-sector intermediaries that handle federal health program data.

What the Breach Means for Patients and the Health System

For patients, the Change Healthcare hack is not just a story about corporate cybersecurity; it is an ongoing risk that may surface years after the initial headlines fade. Stolen health and insurance information can be used to open fraudulent accounts, submit false claims, or obtain prescription drugs under someone else’s name. Because medical billing data is deeply intertwined with diagnoses and treatment histories, victims may also find inaccurate information inserted into their records, complicating future care. Unlike a compromised credit card number, which can be canceled and reissued, intimate details about a person’s health cannot be changed, making this category of data particularly attractive to criminals and especially difficult to remediate once exposed.

The health system as a whole now faces a difficult balancing act between efficiency and resilience. Consolidating claims processing and pharmacy transactions in a few large intermediaries has delivered cost savings and streamlined workflows, but the Change Healthcare incident shows how that efficiency can come at the price of systemic fragility. Hospitals, insurers, and regulators are beginning to reassess their dependence on single vendors for mission-critical functions and to explore backup arrangements that could keep claims and prescriptions flowing during a future outage. Whether those efforts result in new regulations, voluntary industry standards, or a mix of both, the breach has already reset expectations: cybersecurity for core health infrastructure is no longer a back-office IT concern but a central element of patient safety and national resilience.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.