Change Healthcare, a UnitedHealth Group subsidiary, has confirmed that approximately 190 million individuals had their personal information compromised in a ransomware attack that began in February 2024. The disclosure makes this the largest healthcare data breach ever recorded, affecting more than half of the U.S. population and surpassing the previous record set by the 2015 Anthem breach (78.8 million).
What Happened
In February 2024, ransomware operators infiltrated Change Healthcare, a critical hub in the U.S. healthcare payment ecosystem that processes billions of transactions annually. The intrusion forced the company to take down systems handling prescription processing, insurance claims, and payment operations, triggering cascading disruptions across thousands of hospitals, pharmacies, and physician practices nationwide. After more than a year of forensic analysis and victim notifications, Change Healthcare has now confirmed the final impact figure at approximately 190 million individuals, a number that more than doubles the previous all-time healthcare breach record.
What Was Taken
The exposed data set is exceptionally sensitive and broad in scope, creating long-term identity theft and fraud risks for victims. Compromised information includes:
- Personal identifiers including names, addresses, and dates of birth
- Social Security numbers
- Medical records and protected health information
- Health insurance details and member IDs
- Financial and payment data tied to healthcare transactions
The combination of medical, financial, and identity data in a single breach gives threat actors a uniquely complete profile of affected individuals, dramatically increasing the downstream value of the stolen records on criminal markets.
Why It Matters
This incident is a defining moment for critical infrastructure cybersecurity. Change Healthcare is not a peripheral target: it is a chokepoint for U.S. healthcare commerce, and its compromise demonstrates how a single ransomware event can ripple across an entire sector. Industry data shows ransomware attacks against healthcare have climbed 95% over the past two years, with ransom demands routinely reaching seven and eight figures. For defenders, the message is clear: ransomware is no longer one risk among many. It is the dominant enterprise threat, and organizations operating within concentrated service ecosystems face systemic, not just organizational, exposure.
The Attack Technique
While Change Healthcare has not publicly detailed every aspect of the initial intrusion, the operation aligns with the modern dual-extortion ransomware playbook used by top-tier criminal affiliates: gain initial access, escalate privileges, move laterally to identify high-value data stores, exfiltrate sensitive records, and then deploy ransomware to encrypt production systems. This dual-pressure model, encryption plus the threat of data leak, has become the default operating procedure for sophisticated ransomware crews, particularly against targets where operational downtime carries immediate public-safety consequences.
What Organizations Should Do
- Map third-party and supply-chain concentration risk. Identify any single vendor whose outage would halt core operations and develop contingency plans before, not during, an incident.
- Enforce phishing-resistant MFA across all remote access, VPN, VDI, and administrative consoles, eliminating SMS and push-only authentication for privileged users.
- Segment networks aggressively to constrain lateral movement, isolating clinical, billing, and identity infrastructure from one another.
- Deploy and monitor EDR with 24/7 response coverage, treating alert triage as a real-time function rather than a next-business-day workflow.
- Maintain immutable, offline backups of critical systems and regularly rehearse full restoration under realistic failure conditions.
- Build and test a ransomware playbook that includes legal, regulatory notification, communications, and operational continuity tracks, with clear decision authority for shutdown and recovery actions.
Sources: Ransomware hits 190M in record healthcare breach | TMC Insight