UHG Confirms Final Count in Change Healthcare Breach: 192.7 Mn Affected

The final number comes as UHG closes out its investigation and response efforts following the February 2024 ransomware attack.

UnitedHealth Group (UHG) has confirmed that 192.7 million individuals were affected in the Change Healthcare data breach, nearly doubling its initial estimates from December 2024.

The final number comes as UHG closes out its investigation and response efforts following the February 2024 ransomware attack.

In a July 31 letter, UHG said it had completed its data review and mailed written notifications to affected individuals.

Notification process now complete

“Change Healthcare has been mailing written letters on a rolling basis to potentially impacted data owners for whom Change Healthcare has sufficient address information,” UHG stated. “This notification process is now complete.”

The company said it faced challenges in identifying all affected parties. “Change Healthcare and its vendors have made reasonable best efforts to deduplicate individuals included in the numbers being provided today. However, despite those efforts, complete deduplication was not feasible,” the letter said.

Approximately 1.3 million individuals were tied to healthcare organizations that chose to handle their own breach notifications. According to the letter, about 1,252 of those individuals reside in New Hampshire.

Change Healthcare updated its HIPAA notice online the same day, confirming that the incident call center—opened on June 20, 2024—will close on August 26, 2025. That marks the final date for affected individuals to enroll in complimentary credit monitoring and identity protection services offered by UHG.

Background and breach response

The breach, caused by the BlackCat ransomware group, disrupted care delivery and claim processing across the U.S. for months. Change Healthcare processes roughly 15 billion claim transactions annually, serving a wide network of providers and pharmacies.

Earlier updates from UHG to various states, including New Hampshire, tracked the progress of patient notifications, especially for clients who delegated notification responsibilities to Change.

The infiltration occurred through Change’s outdated systems, which lacked multifactor authentication, according to testimony from former UHG CEO Andrew Witty. He had also disclosed the payment of a $22 million ransom and outlined plans for cloud-based security upgrades.

Stay tuned for more such updates on Digital Health News