The February 2024 ransomware attack on Change Healthcare represents the largest healthcare data breach in United States history, ultimately affecting approximately 192.7 million individuals across the nation. This unprecedented incident revealed critical vulnerabilities across America’s healthcare infrastructure, extending its devastating impact far beyond individual patients to encompass healthcare providers, financial institutions, government agencies, and vulnerable populations including rural communities, military personnel, and government employees with security clearances. The breach’s reach touched roughly one-third of the entire population of the United States, compromising sensitive personal health information, financial records, and identity documents of millions of Americans who had direct or indirect connections to Change Healthcare’s extensive network of healthcare providers, insurers, pharmacies, and claims processors.
The Evolution of Impact Assessment and Victim Count Estimation
Initial Reporting and Evolving Estimates
The understanding of who was affected by the Change Healthcare breach evolved dramatically over the months following the February 21, 2024 incident, demonstrating the complexity of assessing the true scope of such a massive breach. When Change Healthcare initially reported the ransomware attack to the Department of Health and Human Services Office for Civil Rights on July 19, 2024, the company submitted a placeholder figure of just 500 affected individuals. This grossly inaccurate initial estimate reflected the ongoing nature of the investigation and the company’s inability to immediately determine the full extent of the data exfiltration. By October 24, 2024, nearly eight months after the attack occurred, Change Healthcare confirmed that approximately 100 million individuals had been affected by the breach, which represented almost one-third of the population of the United States.
This preliminary figure of 100 million individuals was itself revised upward in January 2025, when UnitedHealth Group acknowledged that the actual number approached 190 million individuals affected. The final determination came on July 31, 2025, when Change Healthcare notified the Office for Civil Rights that 192.7 million individuals had been impacted by the breach, with this figure representing the company’s last comprehensive count after extensive data review and analysis. The repeated revisions to the victim count illustrate the extraordinary challenge of conducting a thorough investigation of a dataset of this magnitude, particularly given that change Healthcare processes billions of transactions annually across numerous healthcare organizations with varying levels of data integration.
Challenges in Deduplication and Final Count Accuracy
Change Healthcare noted that the final figure of 192.7 million individuals may be slightly higher than the actual number of affected individuals because the company was unable to fully deduplicate the records despite extensive efforts. Variations in name spellings, address formats, and other identifying information made it impossible to completely eliminate duplicate entries from the dataset, which meant some individuals may have been counted multiple times in the final tally. Additionally, the company identified approximately 1.3 million individuals whose notifications came solely from entities that chose to issue their own notifications rather than delegating that responsibility to Change Healthcare. Of the 192.7 million affected individuals, over 55.3 million could not be definitively linked to a specific healthcare provider and therefore received generic notification letters rather than provider-specific communications.
Patient and Consumer Populations Directly Affected
The Broader Population Impact
The fundamental question of who was affected by the Change Healthcare breach extends well beyond those who had direct business relationships with the company. Because Change Healthcare functioned as the largest healthcare clearinghouse in the United States, processing approximately 15 billion medical claims annually and touching approximately one in every three patient records in the country, the breach potentially affected individuals who had never directly interacted with Change Healthcare and in many cases were unaware the company even held their information. Patients who received healthcare services from virtually any hospital, physician practice, pharmacy, or health insurance plan in the country could have had their personal health information compromised, regardless of whether their healthcare provider or insurer used Change Healthcare’s services or whether they were even aware that Change Healthcare was involved in processing their claims.
The types of data compromised included the most sensitive categories of personal information, making the affected population uniquely vulnerable to identity theft, fraud, and exploitation. The stolen data included Social Security numbers, driver’s license or state ID numbers, dates of birth, contact information, medical record numbers, diagnosis codes, treatment information, test results, and medical images. The breach also exposed billing records containing payment card information, financial and banking records, health insurance information including member identification numbers, and government payor identification numbers such as Medicare and Medicaid identifiers. This comprehensive collection of sensitive identifiers and health information represented everything needed for both identity theft and medical fraud.
Individuals Without Direct Healthcare Relationships
Compounding the scope of affected individuals was the fact that approximately 55.3 million people affected by the breach could not be definitively linked to a specific covered entity that was responsible for notifying them. These individuals received notification letters attributing their exposure to an “Unidentified Covered Entity,” meaning Change Healthcare’s records did not contain sufficient information to identify which healthcare provider, insurer, or other covered entity should bear responsibility for providing them with detailed breach notifications. In states like New Hampshire, this situation resulted in 188,183 individuals receiving generic notifications rather than provider-specific information, suggesting that nationwide, millions of Americans learned their health information had been compromised without being able to determine which specific healthcare organization had lost their data or which providers they should contact for additional information.
Patients Unable to Receive Any Notification
The notification challenges extended even further, with Change Healthcare acknowledging that it may not have held sufficient mailing addresses for all potentially impacted individuals. This meant that some affected individuals were never notified by mail that their personal health information had been compromised, leaving them completely unaware of the breach and unable to take protective measures such as placing fraud alerts on their credit files or monitoring their accounts for suspicious activity. The company stated on its updated notice that “we may not have sufficient addresses for all potentially impacted individuals,” effectively acknowledging that an unknown number of affected Americans would never learn of the breach at all. This situation created a two-tier system of protection where some affected individuals received timely notification and could take protective action, while others remained entirely unaware of the compromise.
Healthcare Provider and Health System Impacts
Hospitals and Health Systems
The Change Healthcare breach affected healthcare providers across every segment of the industry, with impacts varying based on factors such as cash reserves, vendor redundancy, and reliance on Change Healthcare’s services. A survey by the American Hospital Association revealed that the scope of provider impact was nearly universal, with 94 percent of hospitals reporting that the attack impacted them financially and 74 percent reporting direct patient care impacts. More alarmingly, 33 percent of survey respondents reported that the attack disrupted more than half of their revenue, while 60 percent reported requiring two weeks to three months to resume normal operations once Change Healthcare’s full functionality was re-established.
The attack disrupted critical operational functions that hospitals and health systems depend upon daily. Hospitals reported being unable to verify insurance coverage for incoming patients, which prevented them from understanding patients’ eligibility and ability to pay before providing care. Similarly, hospitals experienced profound difficulties in filing prior authorization requests with insurance companies, which in many cases prevented patients from receiving medically necessary care that required pre-approval. Most critically for hospital financial viability, providers reported severe disruptions in receiving payment for services already rendered, creating massive cash flow crises. During the height of the crisis, estimates suggested that the healthcare system was losing over $100 million daily due to the inability to process and submit claims, the inability to verify coverage, and the inability to receive payments for services already delivered.
Physician Practices and Smaller Providers
Smaller provider organizations bore a disproportionate burden from the Change Healthcare outage. The American Medical Association conducted surveys revealing that physician practices, particularly small practices with ten or fewer physicians, experienced devastation that threatened their viability as ongoing businesses. Among surveyed practices, 80 percent reported losing revenue from unpaid claims, 85 percent had to commit additional staff time and resources to complete revenue cycle tasks manually, and 78 percent lost revenue from claims they were unable to submit. Additionally, 36 percent of responding practices reported suspension of claim payments, 32 percent were unable to submit claims at all, and 22 percent were unable to verify patient eligibility for benefits.
The financial consequences for small practices were severe enough to threaten closure. The American Medical Association warned that “practices will close because of this incident, and patients will lose access to their physicians” and that the combination of “compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open. Notably, 55 percent of physicians nationwide used their personal funds to cover practice expenses during the outage, putting their own finances at risk to maintain operations and ensure patients could continue receiving care. Rural practices and those serving underserved communities faced particularly acute challenges, as these organizations typically operated with even tighter margins and fewer financial reserves than larger urban practices.
Pharmacies and Prescription Processing
Pharmacies and prescription processors were severely disrupted by the Change Healthcare breach. The attack prevented pharmacies from processing insurance claims for prescription medications, leaving pharmacists unable to determine whether prescriptions would be covered by patients’ insurance plans. Patients who needed medications to manage chronic conditions or acute illnesses found themselves unable to access prescriptions without paying out-of-pocket costs, sometimes for medications that their insurance would have covered under normal circumstances. The military pharmacy system initially experienced significant disruptions, though military pharmacies eventually returned to normal operations after implementing workarounds. Retail pharmacies across the country similarly struggled to maintain operations and ensure patients could access needed medications.
Laboratory and Diagnostic Service Providers
Laboratories and diagnostic service providers relying on Change Healthcare’s systems experienced significant operational and financial impacts. These facilities were unable to transmit test results electronically to referring physicians and hospitals, requiring manual processes that significantly slowed the delivery of critical diagnostic information. The outage disrupted the entire workflow of diagnostic medicine, preventing patients from obtaining necessary test results in a timely manner and delaying clinical decision-making for their healthcare providers. Like other healthcare providers, laboratories faced substantial revenue delays and administrative burden as they worked to process claims through alternative channels.
Vulnerable and Special Populations
Rural Healthcare Communities
Rural healthcare communities were among those most devastated by the Change Healthcare attack. Rural hospitals, critical access hospitals, and rural physician practices were forced to absorb significant financial pain through major cash flow crises, with some experiencing delayed services to patients. Nebraska’s Attorney General specifically noted that rural healthcare providers in the state had “unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. Rural communities already faced challenges with healthcare access due to limited provider availability and resources, and the Change Healthcare outage exacerbated these challenges by threatening the viability of rural providers already operating on thin margins. In some cases, the financial pressure from the outage contributed to rural providers ceasing operations or selling their businesses to more financially stable operators.
Underserved Populations and Community Health Centers
The American Medical Association expressed particular concern about the impact on physician practices serving underserved populations, as these organizations often operated with limited liquidity and were especially vulnerable to disruption in revenue. Community health centers serving low-income and vulnerable patient populations faced the same operational disruptions as other providers, but often with fewer resources to implement workarounds or absorb the financial losses. These centers typically serve populations with complex medical needs and limited financial resources themselves, meaning that delays in care and the need for out-of-pocket payments due to insurance verification failures created additional hardship for already vulnerable patients.
Government Employees with Security Clearances
The Change Healthcare breach raised national security concerns due to the potential compromise of information belonging to government employees with security clearances. Congressional questioning of UnitedHealth Group CEO Andrew Witty specifically probed the question of how many government employees with security clearances had their information compromised in the breach. Such compromise could potentially expose these individuals to blackmail, extortion, or exploitation by foreign governments or other malicious actors who might use access to sensitive medical and financial information as leverage against these individuals or the agencies they served. While the exact number of government employees with clearances affected remained unclear, the potential national security implications of healthcare data compromise added another critical dimension to the question of who was affected by the breach.
Military Personnel and Veterans
Military personnel and their families potentially had their information compromised in the Change Healthcare breach. The ransomware group BlackCat explicitly claimed to have stolen information on active military personnel, suggesting that the breach affected members of the armed forces and potentially their dependents. The Veterans Affairs system confirmed that it remained an open question whether veteran data was compromised, and while the VA stated it had no confirmation that veteran data was included in the breach, the possibility remained real given Change Healthcare’s role in processing healthcare claims for various government agencies.
Mental Health and Sensitive Information Exposure
Commentators and cybersecurity experts noted that the breach of protected health information posed unique risks to individuals whose medical conditions themselves could be sensitive or stigmatizing. The exposure of diagnosis codes and medical history meant that individuals receiving mental health treatment, treatment for substance use disorders, or treatment for sensitive conditions could have that information compromised. Critics noted the “chilling effect” this breach could have on people’s willingness to seek mental health counseling or therapy, fearing that the healthcare system could not adequately protect their sensitive information about mental health conditions. The potential for medical records to be used for extortion or blackmail created an additional layer of harm beyond simple identity theft.
Geographic Distribution and State-Specific Impact
New Hampshire
New Hampshire residents were identified as having particularly significant exposure to the Change Healthcare breach. The state identified 655,282 residents as impacted by the breach, though many did not receive notifications due to incomplete address information. In some cases, New Hampshire residents were among the 55.3 million nationally who received generic notification letters from an “Unidentified Covered Entity,” leaving them uncertain about which healthcare providers or insurers had lost their information.
Nebraska
Nebraska became the first state to file a lawsuit against Change Healthcare, UnitedHealth Group, and Optum over the breach and its consequences. Nebraska’s Attorney General alleged that at least 575,000 Nebraska residents had their personal and protected health information stolen from Change Healthcare, with potentially up to one million state residents affected. The lawsuit alleged that these residents had been subjected to unnecessary risk of identity theft and fraud due to the company’s cybersecurity failures and delayed notification processes.
Nationwide Distribution
The breach affected individuals across all fifty states. States including California, Massachusetts, Nebraska, and New Hampshire took independent action to notify their residents about the breach and urge them to remain alert to identity theft and fraud, reflecting the nationwide scope of the compromise. The universal nature of the breach meant that affected individuals lived in urban centers, suburban communities, rural areas, and every geographic location across the United States.
Types of Data Compromised for Affected Individuals
Health Information
The breach exposed comprehensive health information across multiple dimensions. Affected individuals had the following health data compromised: medical record numbers, names of their treating physicians and healthcare providers, diagnoses they had received, medications they were taking, test results and laboratory values, medical images such as X-rays and MRI scans, and detailed records of their medical care and treatment. This information represented the most sensitive dimensions of individuals’ personal health histories and could be used to make healthcare determinations, deny insurance coverage, or facilitate medical fraud.
Personal Identifying Information
Beyond health information, the breach exposed complete sets of personal identifying information suitable for identity theft. Compromised personal data included Social Security numbers, driver’s license or state ID numbers, dates of birth, full names, contact information including addresses and phone numbers, and email addresses. This collection of identifiers represented all the information typically needed to open fraudulent accounts, obtain credit in someone else’s name, or commit other identity theft offenses.
Insurance and Payment Information
Affected individuals also had their insurance and payment information compromised. The breach exposed health insurance information including names of health plans, types of insurance coverage, names of insurance companies, member ID numbers, group ID numbers, and government payor identification numbers for Medicare and Medicaid beneficiaries. Additionally, billing and payment records were compromised, including payment card information, financial and banking records, claim numbers, billing details, bank account information, and other banking and financial data. This combination of insurance and financial information could facilitate both healthcare fraud and financial fraud.
Government Identifiers
The breach exposed various government identifiers beyond Social Security numbers, including driver’s license or state ID numbers and potentially passport numbers. In the cases where government employees with security clearances were affected, their government identifiers and security clearance status information could have been compromised, raising national security concerns.
Impact on Patient Access to Care
Delays in Medical Authorization and Treatment Approval
Patients throughout the country experienced delays in receiving medically necessary treatment due to the Change Healthcare outage’s disruption of prior authorization systems. Healthcare providers were unable to submit prior authorization requests to insurance companies through Change Healthcare’s systems, and many payers had no backup systems to process these requests. This meant patients waiting for potentially time-sensitive medical procedures, surgeries, or treatments experienced delays in obtaining the insurance approvals needed before their providers could proceed. For patients with emerging medical conditions or those requiring urgent care, these delays translated into potential health risks.
Out-of-Pocket Medication Costs for Patients
Patients faced unexpected out-of-pocket medication costs during the crisis, as pharmacies were unable to verify insurance coverage for prescriptions. Patients who expected their medications to be covered by insurance found themselves forced to pay full prices for necessary medications, creating financial hardship during a period when they were dealing with healthcare needs. This situation was particularly acute for patients on multiple medications or those with chronic conditions requiring expensive prescriptions. Some patients delayed or skipped doses of medications due to the inability to access them at affordable prices.
Delayed Preventive and Routine Care
The broader disruption to healthcare operations due to the Change Healthcare outage resulted in delayed preventive care, routine checkups, and non-urgent medical services. Patients who sought to schedule appointments often found they could not verify insurance coverage or determine whether their insurance would cover the services they needed. Some healthcare facilities limited new patient appointments during the crisis, affecting patients’ ability to establish care with new providers or seek second opinions. The American Hospital Association survey found that 74 percent of hospitals reported direct patient care impacts, including delays in authorizations for medically necessary care.
Financial Impact on Affected Healthcare Providers
Direct Financial Losses from Unpaid Claims
The healthcare providers affected by the Change Healthcare outage experienced massive direct financial losses from the inability to process and receive payment for services. According to the American Medical Association surveys, 80 percent of physician practices lost revenue from unpaid claims during and immediately after the outage. The disruption lasted for weeks in most cases and months in some, leaving providers unable to collect payment for services rendered to patients covered by insurance that was supposed to pay for those services. Hospitals that previously received substantial portions of their revenue through Change Healthcare’s claims processing systems saw their cash flow evaporate.
Revenue from Unable-to-Submit Claims
Beyond the payment delays, many providers experienced losses from claims they simply could not submit during the outage. Seventy-eight percent of surveyed physician practices reported losing revenue from claims they were unable to submit at all during the period when Change Healthcare systems were offline. The inability to submit claims meant the revenue cycle process could not even begin for services provided during the outage period. For providers already operating on thin margins, this represented unrecoverable lost revenue that threatened their financial viability.
Administrative Costs from Manual Processes
The healthcare providers affected by the outage incurred substantial administrative costs from the need to implement manual processes to replace the disrupted electronic systems. Eighty-five percent of surveyed physician practices reported having to commit additional staff time and resources to complete revenue cycle tasks manually. This meant hiring temporary staff, paying overtime to existing employees, or reassigning employees from other duties to handle manual claims processing, eligibility verification, and payment reconciliation. These added administrative costs compounded the financial impact of lost or delayed revenue.
Impact of Advance Payment Loans and Repayment Terms
UnitedHealth Group and other payers provided advance payment programs to help providers bridge their cash flow gaps during the outage, but these programs created their own financial complications. UnitedHealth Group provided approximately $9 billion in no-interest loans and advance payments to affected healthcare providers, helping some providers continue operations. However, many providers reported that these advance payments proved insufficient to cover their actual expenses, and some providers complained about the stringent repayment terms imposed for these advance payments. More problematic for many providers was that UnitedHealth Group later took an aggressive approach to recovering outstanding balances on loans issued to healthcare providers affected by the February 2024 cyberattack, with some practices reporting that claims payments were withheld to recover loan balances, effectively creating a new financial burden just when providers were beginning to recover.
The Ransomware Situation and Secondary Extortion Attempts
Initial Ransom Payment Failure
The Black Cat ransomware group behind the attack initially demanded ransom in exchange for preventing the release of the stolen data. UnitedHealth Group CEO Andrew Witty admitted to Congress that the company paid $22 million in bitcoin to the attackers in an attempt to ensure the deletion of the stolen data and prevent its public release. However, despite making this substantial payment, the stolen data was never reliably secured. The BlackCat ransomware group later conducted an exit scam, shutting down its operation without paying its affiliate who had conducted the actual attack. The affiliated attacker retained copies of the stolen data, effectively ensuring that the $22 million ransom did not accomplish its intended goal of securing the data.
Secondary Extortion by RansomHub
Adding to the threat to affected individuals, a competing ransomware group called RansomHub subsequently acquired the stolen Change Healthcare data from a BlackCat affiliate and began attempting to extort additional ransom payments. RansomHub issued demands stating it possessed sensitive data stolen from Change Healthcare and attempted to extort payment to prevent public release of the data and potential sale to the highest bidder. RansomHub’s victim-shaming blog announced: “Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” claiming that it held patient data that could be sold. It remains unclear whether RansomHub ever actually sold the stolen healthcare data, but the threat of additional data release added to the anguish of affected individuals.
Ongoing Data Exposure Risks
Even after the RansomHub extortion attempts, the stolen healthcare data remained in the hands of cybercriminals. The Federal Bureau of Investigation reportedly identified that a third-party partner managed to recover at least four terabytes of data that was exfiltrated from Change Healthcare by the cybercriminal group. This recovered data remained accessible to potentially multiple threat actors, each of whom could threaten to release it or attempt to monetize it through sale or further extortion. The lack of any guarantee that additional data releases would not occur meant that affected individuals remained vulnerable indefinitely, unable to definitively secure or “recover” the compromised data despite the ransom payment.
Notification and Disclosure Challenges for Affected Individuals
Delayed Notification Process
The notification of affected individuals was substantially delayed compared to many data breaches. Change Healthcare did not begin notifying affected providers about the breach until June 20, 2024, four months after the ransomware attack was detected on February 21, 2024. Individual notifications to affected consumers did not begin until late July 2024, more than five months after the attack. This lengthy delay meant that affected individuals remained unaware of the compromise for extended periods, unable to take protective measures such as placing fraud alerts on their credit files, freezing their credit, or monitoring their accounts for suspicious activity.
Incomplete Notification Addresses
The notification process was hindered by incomplete address information held by Change Healthcare. The company acknowledged that it did not have sufficient mailing addresses for all potentially impacted individuals. This meant that some affected individuals were never notified by any means about the compromise of their personal health information. These individuals had no opportunity to learn about the breach through direct notification and could only potentially discover the breach through media coverage or third-party notice from state regulatory agencies.
Provider-Specific versus Generic Notifications
Adding to the confusion created by the notification process, approximately 55.3 million affected individuals received generic notification letters from Change Healthcare attributing their exposure to an “Unidentified Covered Entity” rather than a specific healthcare provider. These individuals could not determine which healthcare organization had lost their information or which providers they should contact for additional information about the breach. In contrast, other affected individuals received provider-specific notifications that at least identified which healthcare organization’s records had been compromised.
The Enduring Aftermath and Those Bearing the Brunt
The Change Healthcare data breach affected an extraordinarily broad range of individuals and organizations across the United States healthcare system. At its core, the breach compromised the personal health information and sensitive financial data of approximately 192.7 million individuals, representing roughly one-third of the United States population. This figure encompasses not just those who sought healthcare intentionally but millions who were included in healthcare claims processing through no direct action of their own, as Change Healthcare processed claims for virtually every segment of the healthcare industry regardless of whether individuals were even aware the company handled their information.
The affected population included patients who received healthcare services from any hospital, physician practice, pharmacy, or health insurance plan in the country. It included vulnerable populations in rural communities already struggling with healthcare access, individuals receiving mental health or other sensitive treatments, government employees with security clearances whose information could be weaponized against them, military personnel, Medicare and Medicaid beneficiaries, and virtually every demographic group across the nation. The breach exposed the most sensitive categories of personal information including complete sets of identifying information suitable for identity theft, comprehensive health histories that could be used for medical fraud or blackmail, financial information and payment card details, and government identifiers that could threaten national security.
Beyond the individuals whose personal data was compromised, the breach devastated the healthcare providers who delivered care to those individuals. Hospitals, physician practices, pharmacies, laboratories, and other healthcare organizations across the country experienced months of operational disruption, with 94 percent of hospitals reporting financial impact and many practices facing closure due to cash flow crises. Patients experienced delayed care, medication access challenges, and out-of-pocket expenses they had not anticipated. Rural communities and underserved populations bore disproportionate burdens. The ransomware payment failure and subsequent secondary extortion attempts ensured that the compromise of data remained an ongoing threat, with affected individuals unable to recover or definitively secure the information that had been stolen.
Understanding who was affected by the Change Healthcare breach requires recognizing both the scale of the impact—affecting roughly one-third of Americans—and the depth of harm experienced by each category of affected parties, from individual consumers to healthcare providers to the broader healthcare system infrastructure upon which the nation depends.
Protect Your Digital Life with Activate Security
Get 14 powerful security tools in one comprehensive suite. VPN, antivirus, password manager, dark web monitoring, and more.
Get Protected Now
