PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

UnitedHealth Now Estimates 190 Million Were Impacted by Cyberattack

The attack was originally thought to have impacted about 100 million Americans.

Will McCurdy
 & Will McCurdy Contributor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: Tiffany Hagler-Geard/Bloomberg via Getty Images)

UnitedHealth now estimates that 190 million people were impacted as a result of the cyberattack on its Change Healthcare unit last February—almost double previous estimates.

The attack disabled the company’s IT systems and affected treatment for months. It led to personal information like names, physical addresses, birth dates, Social Security numbers, driver's license numbers, passport numbers, as well as medical and financial data being compromised. The company began notifying impacted customers in July 2024.

“The vast majority of those people have already been provided individual or substitute notice,” said Tyler Mason, a spokesperson for UnitedHealth Group, in an email to TechCrunch, which first reported the updated numbers.

“The final number will be confirmed and filed with the Office for Civil Rights at a later date,” he added. Mason said he was “not aware” of “any misuse of individuals’ information as a result of this incident” and said the company has “not seen electronic medical record databases appear in the data during the analysis.”

Recommended by Our Editors

Thousands of Scam FIFA Sites Emerge To Target World Cup Fans
Thousands of Scam FIFA Sites Emerge To Target World Cup Fans
From Pentagon Concerns to Street-Level Phone Theft: Digital Tracking Is Everyone's Problem Now
From Pentagon Concerns to Street-Level Phone Theft: Digital Tracking Is Everyone's Problem Now
Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar
Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar

Personal data captured in ransomware attacks—a type of cyberattack in which criminals encrypt a company's data and demand payment to unlock it—is often sold on online black markets and used for identity theft, scam calls, and phishing emails.

The hack is thought to have been carried out by the Russian-speaking AlphV/BlackCat ransomware group, which used a loophole in remote-access Citrix software to gain access to the company's systems and lock up its data for ransom. The attack is expected to cost UnitedHealth from $2.3 billion to $2.5 billion. It made at least one ransomware payment of roughly $22 million.

In December, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recommended that healthcare providers implement multi-factor authentication, encrypt patient data to safeguard it in case of a data breach, and undergo compliance checks to ensure their networks meet cybersecurity rules. It's unclear if the Trump administration will pursue this.

Profits at UnitedHealth fell by more than a third in 2024, dropping from roughly $22.3 billion in 2023 to about $14.4 billion.

About Our Expert

Will McCurdy

Will McCurdy

Contributor

I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.

I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.

Read the latest from Will McCurdy

Read full bio