Most Americans had never heard of Change Healthcare before February 2024. That changed quickly. The company, a subsidiary of UnitedHealth Group, processes roughly 15 billion healthcare transactions every year. They touch one in every three patient records in the United States. When ransomware attackers took it down, the ripple effects spread across the entire U.S. healthcare system within hours.
The breach that followed is now the largest healthcare data breach in U.S. history, affecting an estimated 192.7 million people. Medical records, Social Security numbers, insurance details, diagnoses, and payment information for more than half the American population were exfiltrated. A $22 million ransom was paid. More extortion followed. By the time individual notification letters began arriving in mailboxes, months had already passed.
Here is a full account of what happened, and what people whose data was caught up in it can do now to protect themselves from identity theft.
What Change Healthcare Does and Why This Breach Mattered
Change Healthcare is a healthcare clearinghouse that sits in the middle of the U.S. medical billing and payment system. Hospitals, physician practices, pharmacies, and insurers use it to verify insurance eligibility, process prior authorizations, submit claims, and route payments. More than 67,000 pharmacies and 129 million patients in the U.S. interact with systems that run through Change Healthcare.1
That centrality is precisely what made the attack so damaging. When Change Healthcare went offline, it was not just one company’s systems that were disrupted. It was the underlying plumbing of the healthcare economy. A March 2024 survey by the American Hospital Association found that 74 percent of nearly 1,000 hospitals reported direct patient care impacts, including delays in authorizations for medically necessary care. Ninety-four percent reported financial impact. One third of respondents said the attack disrupted more than half their revenue.2
How the Attack Unfolded
Initial Access: A Missing Password Requirement
Attackers affiliated with the ALPHV/BlackCat ransomware group first gained access to Change Healthcare’s network on February 12, 2024.3 The entry point was a Citrix remote access portal used by employees to log into systems from outside the office. That portal was not protected by multi-factor authentication, a basic security requirement widely considered industry standard.
UnitedHealth Group CEO Andrew Witty confirmed this during congressional testimony, saying the missing MFA was the vulnerability that allowed the attack to succeed. He also acknowledged that Change Healthcare had not updated its internal security procedures following UnitedHealth Group’s acquisition of the company in October 2022, contributing to the gap.4
Remove your exposed personal information from data broker — automatically — with Incogni.
Nine Days Inside the Network
After gaining access, the attackers spent nine days moving laterally through Change Healthcare’s systems before deploying ransomware. During that window, between February 17 and February 20, 2024, they exfiltrated an estimated four to six terabytes of data. On February 21, 2024, Change Healthcare detected the ransomware deployment and immediately began shutting down systems to prevent further spread.
The nine-day delay between initial access and detection reflects what the AHA called a failure of threat detection capabilities. Once the intrusion was confirmed, Change Healthcare contacted law enforcement and brought in leading cybersecurity firms to investigate and restore systems. Core services remained offline for many months while recovery efforts continued.
FYI: Ransomware attacks don’t only target large corporations. Individuals are at risk too. These attacks at individuals can steal your personal data and lock you out of your devices until you pay a ransom. That’s why we recommend using a trusted antivirus on your devices and reading our guide to internet security.
The Ransom Payment and a Second Extortion
On March 1, 2024, Change Healthcare paid a $22 million ransom to ALPHV/BlackCat through its Optum subsidiary, in exchange for a promise that the stolen data would be deleted. Witty testified before Congress that the decision to pay was one of the hardest he had ever made.
The payment did not resolve the situation. ALPHV/BlackCat’s leadership conducted what is known in ransomware circles as an exit scam.5 They took the ransom money and shut down their operation without paying their own affiliate who had carried out the attack. That affiliate retained a copy of the stolen data and took it to a competing ransomware group, RansomHub, which launched its own extortion campaign against Change Healthcare in April 2024. Patient data began appearing on dark web leak sites despite the $22 million payment.
It remains unclear whether RansomHub ultimately sold or published the full dataset. The FBI and a third-party partner reportedly managed to recover at least four terabytes of the exfiltrated data, though no definitive confirmation of full recovery has been made.
>> Safety Tips: Securing Confidential Personal Data Both Online and Offline
What Was Stolen
Change Healthcare’s final confirmed count of affected individuals stands at 192.7 million. That makes it the largest healthcare data breach ever reported to the U.S. Department of Health and Human Services’ Office for Civil Rights. It is nearly double the previous record, set by the 2015 Anthem breach involving 78.8 million people.
The types of data exposed varied by individual. Change Healthcare confirmed that the following categories of information were part of the stolen dataset:
| Category | Data Types Involved |
|---|---|
| Health information | Medical record numbers, provider names, diagnoses, medicines, test results, images, care and treatment records |
| Insurance information | Health plan and policy details, insurance company names, member and group ID numbers, Medicaid/Medicare/government payor IDs |
| Billing and claims information | Claim numbers, account numbers, billing codes, payment balance information |
| Personal identifiers | Names, contact information, dates of birth, Social Security numbers (in some cases), driver’s license and passport numbers (in some cases) |
| Financial information | Payment card numbers, banking information (in some cases) |
Change Healthcare stated that for the majority of affected individuals, Social Security numbers were not impacted, and financial or banking information was not involved except in limited cases. The company also said it had not identified full medical histories or doctors’ chart notes appearing in the reviewed dataset. However, the combination of diagnoses, treatment records, insurance data, and personal identifiers still amounts to a detailed picture of a person’s health and financial life.
>> Check Out: Best Identity Theft Protection Services of 2026
The Broader Damage: A Healthcare System in Crisis
The operational disruption caused by the attack extended far beyond data theft. Because Change Healthcare routes eligibility verification, prior authorizations, claims, and payments across the U.S. healthcare system, its outage directly affected the ability of hospitals, clinics, and pharmacies to function. An American Medical Association survey conducted in April 2024 found that 80 percent of physician practices lost revenue from unpaid claims.6
Smaller practices and rural hospitals were hit hardest. Some faced the prospect of closure due to the sustained disruption to billing and reimbursement. UnitedHealth Group established emergency funding programs for affected providers, though some later faced aggressive collection action on those bridge loans.
The total financial impact on UnitedHealth Group reached approximately $2.457 billion through the third quarter of 2024. That includes the $22 million ransom payment and hundreds of millions in breach response, restoration, and legal costs.
Lawsuits and Legal Consequences
The breach prompted waves of litigation from both patients and healthcare providers. Dozens of putative class actions were filed in multiple jurisdictions, all alleging inadequate security controls, delays in breach notification, and resulting harm to individuals whose sensitive health and personal information was exposed. Those cases have been consolidated into a multidistrict litigation proceeding in the District of Minnesota.7
State-level litigation has also proceeded in parallel. Nebraska’s Attorney General filed a lawsuit in December 2024 naming Change Healthcare, UnitedHealth Group, and Optum as defendants, alleging violations of Nebraska’s consumer protection, data privacy, and security laws. That lawsuit survived a motion to dismiss, allowing it to proceed.
In May 2025, the presiding federal judge urged coordination between federal and state courts to streamline the proceedings and support early settlement discussions. As of this writing, no global settlement has been reached, and litigation is ongoing. Given that the Anthem breach in 2015, which affected 78.8 million people, settled for $115 million in 2017, legal experts expect the Change Healthcare settlement, if reached, to be considerably larger.
The Office for Civil Rights at HHS also opened a HIPAA compliance investigation into Change Healthcare and UnitedHealth Group. This focused on whether a reportable breach of protected health information occurred and whether the company complied with HIPAA’s notification requirements.
Did You Know: Most states lack consumer data privacy laws. That means companies can collect and use your data without much concern over breaking the law. However, they still need to protect your data from malicious actors, particularly when operating in regulated industries like healthcare or finances.
What Affected Individuals Should Do
Check Whether You Received a Notification Letter
Change Healthcare began mailing written notification letters to affected individuals in late July 2024, and continued to do so on a rolling basis given the sheer volume of records involved. If you received a letter, your data was confirmed as part of the breach. That said, you may still have been affected even if you didn’t receive a letter. Because Change Healthcare processes data on behalf of many healthcare entities, some notifications were sent without a specific provider name attached. Millions of people also did not receive individualized letters.
Note the Credit Monitoring Enrollment Deadline
Change Healthcare offered two years of free credit monitoring and identity theft protection through IDX to anyone affected by the breach. The deadline to enroll was August 26, 2025. If you enrolled before that deadline, your monitoring services should still be active. You can also still access self-service tools through the UnitedHealth Group breach support page.
Place Credit Freezes at All Three Bureaus
For individuals whose Social Security numbers were included in the breach, a credit freeze at Equifax, Experian, and TransUnion is the most effective protection against new fraudulent accounts being opened in your name. Freezes are free and can be placed online at each bureau’s website. Security researcher Brian Krebs, who has covered the breach extensively, specifically recommended credit freezes for affected individuals given the combination of financial and health data exposed. Just note that credit freezes won’t prevent account takeover fraud using your leaked information.
>> Read More: Account Takeover Incidents are Rising
Monitor for Medical Identity Theft
Request a copy of your medical records from your primary care provider and any specialists you see regularly, and review them for entries you do not recognize. You can also request your insurance claims history from your health plan to look for claims for services you did not receive. Report any discrepancies to your insurer and to your provider immediately. We go into more details in our guide to preventing medical identity theft.
Consider a Settlement Claim When Proceedings Conclude
The federal MDL proceeding in Minnesota is still working through pretrial proceedings. If a settlement is eventually reached, affected individuals will likely need to file claims to participate. Documenting any concrete harm you have experienced as a result of the breach, including medical identity theft, financial fraud, or time spent dealing with the consequences, will be relevant to any claims process.
Expert Insight: When you accept a settlement, you typically sign a release agreeing not to pursue further claims related to the incident. That usually means you can’t file another lawsuit if you later discover your identity was stolen because of the breach. Even so, accepting the settlement is in most people’s best interest.
Health Data Is Different From Other Kinds of Personal Information
Most data breaches expose information that can be used for financial fraud. The Change Healthcare breach goes further: the stolen dataset includes diagnoses, treatment records, medications, and test results. That kind of information carries risks that have nothing to do with credit cards. It can be used to extort people, manipulate insurance claims, or expose medical histories that individuals have shared only with their doctors.
There is no credit freeze for your medical records. But reducing the amount of personally identifiable information that is freely available online is a practical step that limits how easily criminals can build complete profiles on breach victims. During our tests of Incogni, we found it effectively delivered these results. It automates removal requests to data broker sites that aggregate personal information, shrinking the footprint that criminals can work from when cross-referencing stolen health records with publicly available data.
>> Learn About: A 2026 Guide to Data Removal Services
The Bottom Line
The Change Healthcare breach is a landmark event in the history of data security. It is the largest healthcare data breach ever recorded in the United States, affecting an estimated 192.7 million people. It caused cascading disruption across the U.S. healthcare system for months. It revealed that one of the most critical pieces of healthcare infrastructure in the country was protected by nothing more than a username and password on a remote access portal. The breach also demonstrated, again, that paying a ransomware group does not guarantee the problem goes away.
If you have received any medical care in the United States in the last several years, there is a meaningful probability that your health information passed through Change Healthcare at some point. Reviewing your explanation of benefits statements, monitoring your credit, and staying alert to signs of medical identity theft are the most important steps to minimize your risks due to this breach.
Frequently Asked Questions
-
What is Change Healthcare and why did the breach affect so many people?
Change Healthcare is a healthcare clearinghouse owned by UnitedHealth Group. It processes approximately 15 billion healthcare transactions per year, handling insurance eligibility checks, prior authorizations, claims submission, and payments on behalf of hospitals, physician practices, pharmacies, and insurers across the country. Because so many healthcare entities route data through Change Healthcare, a breach of its systems exposed records from a vast cross-section of the population. The company’s CEO testified before Congress that its systems touch one in every three patient records in the United States.
-
Who was behind the Change Healthcare ransomware attack?
The attack was carried out by an affiliate of the ALPHV/BlackCat ransomware group. ALPHV/BlackCat operates as a ransomware-as-a-service, meaning the core group develops the tools and takes a cut of ransoms while independent affiliates conduct individual attacks. After Change Healthcare paid $22 million in ransom, ALPHV/BlackCat’s leadership ran an exit scam, keeping all the money and shutting down their operation without paying the affiliate. That affiliate then partnered with another ransomware group, RansomHub, which attempted a second extortion against Change Healthcare in April 2024.
-
Was my data exposed if I have health insurance or have ever filled a prescription?
Quite possibly. Because Change Healthcare processes transactions for thousands of providers, pharmacies, and insurers, your health data may have flowed through its systems even if you have never heard of the company. The final count of 192.7 million affected individuals represents more than half the U.S. population. Change Healthcare has said that the information involved varied by individual, and not everyone’s records contained every category of data.
-
Did Change Healthcare pay the ransom?
Yes. Through its Optum subsidiary, Change Healthcare paid $22 million in Bitcoin to ALPHV/BlackCat on March 1, 2024. The payment did not prevent the data from surfacing. After the ransomware group conducted an internal exit scam, the affiliate who carried out the attack retained a copy of the stolen data and used it to launch a second extortion attempt through RansomHub. Patient data appeared on dark web leak sites despite the ransom payment.
-
What makes medical data more sensitive than financial data in a breach?
Financial data like credit card numbers can be cancelled and replaced. Medical records cannot. Diagnoses, treatment histories, medications, and test results are permanent parts of a person’s history, and exposure carries risks that extend beyond fraud.
Stolen health information can be used to file fraudulent insurance claims, obtain prescription medications, or create leverage for extortion by threatening to expose sensitive medical conditions. It can also lead to discrimination in insurance or employment if it reaches the wrong hands. The Change Healthcare breach is particularly serious because it exposed both financial and health data together, giving criminals a more complete profile of affected individuals than most breaches provide.