Victim of Change Healthcare Ransomware Attack Increased to 192.7 Million People

by

Change Healthcare stated that the number of people impacted by its February 2024 ransomware is a bit more than the 190 million individuals it had earlier estimated. The most recent estimate is currently roughly 192.7 million people. That number may be greater than the real number of impacted people. Though Change Healthcare has tried to deduplicate people, it could not completely deduplicate people because of differences in the spelling of names and other variables.

Change Healthcare discovered the ransomware attack on February 21, 2024, and then confirmed on March 7, 2024 the exfiltration of information from its systems. Based on forensic investigation, a threat actor accessed its systems between February 17, 2024 and February 20, 2024 by exploiting a vulnerable Citrix remote access service that does not use multi-factor authentication.

The ransomware group responsible for the attack was the BlackCat/ALPHV group. Change Healthcare, through Optum, paid the ransom totalling $22 million to delete the stolen information, especially PHI. The ransomware group scammed its affiliate by stopping the operation without giving payment. The affiliate kept a copy of the stolen information and gave it to the RansomHub ransomware group, which also tried extortion, but did not get any payment.

Change Healthcare at first submitted the data breach report to the HHS’s Office for Civil Rights with 500 impacted people. Later, the provider changed the estimate to 100 million, then 190 million. The OCR breach portal currently posts the data breach with 190 million affected individuals. However,   Change Healthcare wrote a letter to the New Hampshire Attorney General, stating that as of July 31, 2025, there were 192.7 million affected individuals, including about 1.3 million people that covered entities chose to report separately.

Change Healthcare stated that it is sending notification letters on a rolling basis to the affected individuals after conducting data analysis. The most recent notification stated the number of affected New Hampshire residents, which is 655,282 individuals.

Although Change Healthcare started sending breach notification letters on behalf of the impacted covered entities, certain people were not notified through mail, since not all address details are available. In New Hampshire,  0.19% of the individuals affected by the breach did not get mail notifications. If the same percentage of people across the United States did not receive individual notifications, that would be 366,130 individuals.

Change Healthcare also mentioned that as a healthcare clearinghouse, it doesn’t always get the name of the covered entity; hence, it cannot identify the data owner. To be able to send notifications to those individuals, Change Healthcare sent notification letters coming from an Unidentified Covered Entity. There were 188,183 New Hampshire residents with known addresses. If assuming the same percentage of people across the United States were not attributed to a specific covered entity, that would be roughly 55.3 million individuals.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone