It’s one of the largest and most disruptive healthcare data breaches in American history. The UnitedHealthcare data breach involves not just one company but a sprawling corporate family under UnitedHealth Group, the largest health insurer in the United States. Two of its subsidiaries suffered major cyberattacks within roughly a year of each other, and the combined reach of those incidents extends to nearly 200 million Americans.
Understanding which company was breached, what was taken, and what it means for you requires a brief orientation to how UnitedHealth Group is structured. This guide covers both the 2024 Change Healthcare ransomware attack and the 2025 Episource breach, explains what data was involved in each, and walks through what affected individuals should do to avoid identity theft.
>> Find Out: How to Protect Yourself From Identity Theft
Understanding UnitedHealth Group and Its Subsidiaries
UnitedHealth Group (UHG) is a publicly traded corporation that operates two major business divisions. One is UnitedHealthcare, which is the health insurance arm and one of the largest insurers in the country. The other is Optum, which delivers healthcare services ranging from pharmacy benefits and direct care to the IT infrastructure that underlies much of the U.S. healthcare system.
Both Change Healthcare and Episource are subsidiaries of Optum. That means they sit under the UnitedHealth Group corporate umbrella but operate separately from UnitedHealthcare, the insurance brand that most members interact with directly. A cyberattack on Change Healthcare or Episource is technically an attack on an Optum subsidiary, not on the insurance company itself. But because those subsidiaries handle data that flows from and to UnitedHealthcare members and their providers, the downstream impact on UnitedHealthcare members has been significant.
Breach One: Change Healthcare (February 2024)
On February 12, 2024, attackers affiliated with the ALPHV/BlackCat ransomware group gained access to Change Healthcare’s systems through a Citrix remote access portal that lacked multi-factor authentication. Change Healthcare is the largest healthcare payment clearinghouse in the United States, processing approximately 15 billion transactions per year and touching one in every three patient records.1
The attackers spent nine days moving through the network before deploying ransomware on February 21, 2024, the day the Change Healthcare data breach was detected. That’s also when Change Healthcare started shutting down systems. During that window – February 17 and February 20 – the attackers exfiltrated an estimated 4 to 6 terabytes of data before the encryption began.
UnitedHealth Group’s CEO confirmed that the entry point lacked multi-factor authentication and that Change Healthcare had not updated its internal security procedures following UHG’s acquisition of the company in October 2022. Senator Ron Wyden summarized the failure: “This hack could have been stopped with cybersecurity 101.”2
The Ransom and the Double Extortion
On March 1, 2024, UHG paid a $22 million ransom in Bitcoin through its Optum subsidiary in exchange for a promise that the stolen data would be deleted. The payment did not resolve the situation. ALPHV/BlackCat’s leadership conducted an exit scam. They took the ransom money and shut down their operation without paying the affiliate who had actually carried out the attack. That affiliate retained a copy of the stolen data and then partnered with RansomHub to launch a separate extortion campaign against Change Healthcare in April 2024. Patient data began appearing on dark web leak sites despite the $22 million payment.
>> Check Out: The Best Identity Theft Protection with Dark Web Monitoring
Who Was Affected and What Was Stolen
Change Healthcare’s final confirmed count stands at 192.7 million people, the largest healthcare data breach ever reported to the U.S. Department of Health and Human Services. That figure represents approximately 57% of the U.S. population in 2024. Individual notifications began going out in late July 2024 and continued on a rolling basis through 2025.
The categories of data exposed varied by individual but included:
| Category | Data Involved |
|---|---|
| Health information | Medical record numbers, providers, diagnoses, medications, test results, images, care and treatment details |
| Insurance information | Health plan and policy details, insurance company names, member/group ID numbers, Medicare/Medicaid IDs |
| Billing and claims | Claim numbers, account numbers, billing codes, balance information |
| Personal identifiers | Names, addresses, dates of birth, phone numbers, email addresses; Social Security numbers and ID numbers in some cases |
| Financial information | Payment card numbers and banking information in limited cases |
Change Healthcare noted that for the majority of people affected, Social Security numbers were not part of the exposed data. However, the combination of diagnoses, treatment records, insurance details, and personal identifiers still constitutes an unusually comprehensive picture of a person’s medical life. The total financial cost to UnitedHealth Group reached approximately $3.1 billion in direct breach response costs through 2024.3
Breach Two: Episource (February 2025)
What Happened
Less than a year after the Change Healthcare attack, another UHG subsidiary suffered a major breach. Episource, a medical coding and risk adjustment company acquired by UHG’s Optum subsidiary in 2023, detected unusual activity on its computer network on February 6, 2025. A forensic investigation confirmed that attackers had been inside the system for approximately 10 days, between January 27 and February 6, 2025. One of Episource’s affected clients, Sharp Healthcare, confirmed the incident was caused by ransomware.
Episource shut down its systems upon detection, notified law enforcement, and engaged third-party cybersecurity experts. Individual notification letters began going out on a rolling basis from April 23, 2025. The breach was reported to the California Attorney General in June 2025.
Who Was Affected and What Was Stolen
The HHS Office for Civil Rights breach portal lists 5,418,866 individuals as affected by the Episource breach, making it one of the largest healthcare data breaches of 2025. The stolen data varied by individual but could include names, postal and email addresses, phone numbers, dates of birth, Social Security numbers in some cases, health insurance policy details, Medicare and Medicaid identification numbers, and protected health information, including diagnoses, medications, test results, imaging, and medical record numbers.
Episource had not publicly identified the specific threat actor responsible, and at the time of reporting, had found no evidence of the stolen data being misused. The company offered two years of free credit monitoring and identity theft protection services to affected individuals.
Incogni’s data removal service scans the internet for your leaked personal information and sends ongoing removal requests to keep it offline.
Congressional and Regulatory Response
The Episource breach drew immediate congressional attention given its proximity to the Change Healthcare incident. In August 2025, two U.S. senators wrote to UHG CEO Stephen Hemsley demanding answers about the company’s cybersecurity practices and what remediation steps had been taken following the Change Healthcare attack. They asked whether UHG had implemented stronger due diligence for cybersecurity assessments of companies it acquires.
The HHS Office for Civil Rights, which had already opened an investigation into Change Healthcare, continued to scrutinize UHG’s security practices. Legal and regulatory experts noted that if findings of inadequate risk analysis emerge, UHG could face significant HIPAA enforcement actions on top of the ongoing civil litigation.
Both Incidents at a Glance
| Change Healthcare (2024) | Episource (2025) | |
|---|---|---|
| Subsidiary | Optum / Change Healthcare | Optum / Episource |
| Breach dates | Feb. 12 to Feb. 21, 2024 | Jan. 27 to Feb. 6, 2025 |
| People affected | 192.7 million | 5.4 million |
| Attack type | Ransomware (ALPHV/BlackCat) | Ransomware |
| Entry point | Citrix portal without MFA | Not publicly disclosed |
| Ransom paid | $22 million (Bitcoin) | Not publicly confirmed |
| Litigation | MDL proceeding in D. Minnesota; state AG lawsuits | Congressional inquiry; ongoing |
What Affected Members Should Do
Check Whether You Received a Notification
Change Healthcare began mailing individual notification letters in late July 2024, continuing on a rolling basis. Episource began issuing notifications from April 23, 2025. If you received a letter from either company, your data was confirmed as involved. If you have UnitedHealthcare insurance, or if you have ever received care billed through a healthcare provider, there is a meaningful probability your personally identifiable information passed through Change Healthcare at some point.
Note Key Deadlines for Change Healthcare Services
Change Healthcare offered two years of free credit monitoring and identity theft protection through IDX. The deadline to enroll was August 26, 2025, and the dedicated helpline (1-888-846-4705) also closed on that date. If you enrolled before the deadline, your coverage remains active.
Pro Tip: If you missed the deadline, you should access the UnitedHealth Group breach support page and enroll in independent credit monitoring services.
Activate Episource’s Free Credit Monitoring
If you received a notification from Episource, the company is offering two years of free credit monitoring and identity theft protection services. Contact information for enrolling will be included in your notification letter. Given that Social Security numbers were among the data types exposed in the Episource breach, activating this coverage promptly is worthwhile.
>> Check Out: How to Remove Your Information From the Internet
Place Credit Freezes at All Three Bureaus
For anyone whose Social Security number may have been included in either breach, a credit freeze at Equifax, Experian, and TransUnion is the most effective step you can take to prevent new fraudulent accounts from being opened in your name.
FYI: Credit freezes are free and reversible. They do not affect your existing accounts and can be lifted when you need to apply for new credit. We recommend using an identity theft protection service with three-bureau credit monitoring. It can unfreeze your credit from all bureaus in a few clicks.
Watch Your Explanation of Benefits Statements
Health information, including diagnoses, treatments, medications, and provider names, was part of the data exposed in both breaches. Medical identity theft can result in fraudulent claims being filed on your behalf, incorrect entries in your medical record, or benefit limits being exhausted by care you never received. Review your explanation of benefits statements from UnitedHealthcare or any other insurer for any services you do not recognize.
Document Any Harm for Potential Litigation
The Change Healthcare breach litigation is consolidated as a multidistrict proceeding in the District of Minnesota. Settlement discussions have been underway, though no global resolution has been reached. If an eventual settlement is reached, affected individuals will likely need to file claims. Keeping records of any concrete harm, including medical identity theft, credit fraud, time spent on remediation, or professional fees paid to address the breach, will be relevant to any future claims process.
When Your Healthcare Provider Becomes a Data Liability
Most people expect their bank or their email provider to be a target for hackers. Fewer think about the dozens of companies that process their healthcare claims, code their diagnoses, and verify their insurance behind the scenes. UnitedHealth Group’s experience over 2024 and 2025 illustrates how an enormous volume of sensitive health data flows through entities that patients never directly interact with or choose.
The practical implication is that your data may be held by more companies than you realize, and reducing your overall digital footprint is one way to limit downstream exposure when those companies get breached. A service like Incogni targets the data brokers that aggregate personal information from breaches, public records, and commercial sources, submitting removal requests automatically on your behalf. It operates on a different layer from a credit freeze but works alongside one: freezing credit blocks new fraudulent accounts, while removing data from broker databases limits how easily criminals can build profiles using the information that’s already out there.
>> Find Out: A Guide to Data Removal Services
The Bottom Line
UnitedHealth Group has been at the center of two of the most significant healthcare data breaches in recent American history. The 2024 Change Healthcare ransomware attack, affecting an estimated 192.7 million people, remains the largest healthcare data breach ever recorded. The 2025 Episource breach, affecting 5.4 million more, added to a pattern that has drawn sustained congressional scrutiny and regulatory investigation. Both incidents trace back to fundamental security gaps in companies that UHG acquired but apparently did not fully audit for cybersecurity posture.
If you have UnitedHealthcare insurance, or if you have received medical care at any point in recent years, your information almost certainly passed through one or both of the affected systems. Freezing your credit, reviewing your explanation of benefits statements, and monitoring for any signs of medical or financial identity theft are the most important immediate steps. The Change Healthcare litigation in Minnesota is ongoing, and any settlement outcome will matter for the millions of people whose data was caught up in the breach.
Frequently Asked Questions
-
Is UnitedHealthcare the same as UnitedHealth Group?
No, though the names are related. UnitedHealth Group (UHG) is the parent corporation. It operates two major divisions: UnitedHealthcare, the health insurance arm that provides coverage to millions of Americans, and Optum, which delivers healthcare services and technology. Change Healthcare and Episource are subsidiaries of Optum, meaning they are several layers removed from UnitedHealthcare itself. However, because those subsidiaries process data that flows to and from UnitedHealthcare members and their providers, the breaches have had direct implications for UnitedHealthcare members.
-
Did UnitedHealthcare itself get hacked?
UnitedHealthcare, the insurance division, was not directly breached in either the 2024 or 2025 incidents. UHG’s CEO testified before Congress that when the Change Healthcare ransomware was detected, the company moved quickly to isolate the infected systems, which prevented the attack from spreading to Optum, UnitedHealthcare, or UnitedHealth Group corporate systems. However, UnitedHealthcare members’ data, including medical records and insurance information, passed through Change Healthcare as part of normal claim processing, meaning their information was caught up in the breach even though the insurance company itself was not compromised.
-
How do I know if my data was part of the UnitedHealth Group breaches?
Change Healthcare mailed notification letters to affected individuals beginning in late July 2024. Episource began sending letters from April 23, 2025. If you received a letter from either company or from a healthcare provider that processes through either system, your data was involved. UnitedHealthcare members who have not received a letter can contact UnitedHealthcare member services or visit the UnitedHealth Group breach support page for guidance.
-
How many people were affected by UnitedHealth Group data breaches?
The Change Healthcare breach affected an estimated 192.7 million people, approximately 57% of the U.S. population in 2024, making it the largest healthcare data breach in U.S. history. The Episource breach in 2025 affected an additional 5,418,866 people. Between the two incidents, the total number of individuals affected under the UnitedHealth Group corporate umbrella exceeds 198 million.
-
Is there a lawsuit I can join related to the UnitedHealth data breaches?
Yes. Class action lawsuits arising from the Change Healthcare breach have been consolidated into a multidistrict litigation proceeding in the District of Minnesota (In re Change Healthcare, Inc., Customer Data Security Breach Litigation). Settlement discussions are underway, though no resolution has been announced. State attorney general lawsuits, including one from Nebraska that survived a motion to dismiss, are proceeding separately. If a settlement is eventually reached, affected individuals will likely need to file claims to participate, making it important to document any harm you have experienced.