The largest healthcare data breach in US history

There have been 747 HIPAA breach incidents spanning January 3, 2024 through December 31, 2025. That's 286.4 million individual breach notifications in total. If you've used the US healthcare system in recent years, your data has likely been compromised. The Change Healthcare breach alone (a claims clearinghouse handling transactions for thousands of providers) affected the majority of Americans who have health insurance or have visited a doctor.

As required by section 13402(e)(4) of the HITECH Act, HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. HHS publishes these breeches on a website known as "The Wall of Shame." The data here comes from this website.

It's likely that some individuals were counted more than one time. From this data it's not possible to know exact count. Even if we only sum the single largest breech, we still get 192.7 million individuals, or 57.5% of the US population.

The Change Healthcare Breach Story

On February 12, 2024, attackers associated with the ALPHV/BlackCat ransomware group gained initial access to Change Healthcare's systems (BlackFog). Access was gained through a vulnerable Citrix remote access service, which lacked multi-factor authentication. (HIPAA Journal)

Once inside, they spent nine days moving laterally through the network, exfiltrating data, and preparing for the ransomware deployment (BlackFog). The group managed to exfiltrate up to 6TB of sensitive patient data and deployed ransomware that disrupted healthcare billing and payment operations (I.S. Partners).

Why It Mattered

Change Healthcare isn't a hospital or insurer – it's the plumbing of US healthcare. It annually processes 15 billion health care transactions — touching 1 in every 3 patient records — including insurance eligibility verification and authorization, drug prescriptions, claims transmittals and payment (American Hospital Association).

On Feb. 21, 2024, an attack by the Russian ransomware group ALPHV BlackCat encrypted and incapacitated significant portions of Change Healthcare's functionality (American Hospital Association).

The Fallout

• For healthcare providers - A March 2024 AHA survey of nearly 1,000 hospitals found: 74% reported direct patient care impact, including delays in authorizations for medically necessary care. 94% reported the attack impacted them financially. 33% reported the attack disrupted more than half of their revenue (American Hospital Association).
• For patients - The latest estimate now stands at 192.7 million individuals HIPAA Journal affected – approximately 58% of the US population (HIPAA Journal).

The Root Cause

During a congressional hearing, UnitedHealth Group CEO Andrew Witty admitted that the compromised system lacked multi-factor authentication (MFA), a basic security measure widely considered an industry standard (BlackFog). When asked why, Witty said: "Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. But for some reason, which we continue to investigate, this particular server did not have MFA on it" (House Committee on Energy and Commerce).

• The Ransom - CEO Andrew Witty confirmed that the company had paid a ransom of approximately $22 million in an attempt to protect patient data from disclosure.
• BlackFog - The ransomware group pulled an exit scam and shut down its operation without paying its affiliate. The affiliate had retained a copy of the stolen data, took a copy to the RansomHub ransomware group, which sought an additional ransom payment (HIPAA Journal). So, UnitedHealth paid $22 million and the data was still exposed.
• Total Cost - The cost of the Change Healthcare ransomware attack has risen to $2.457 billion, according to UnitedHealth Group's Q3, 2024 earnings report (Hyperproof).

The bottom line: A missing multi-factor authentication on a single server led to the largest healthcare data breach in US history.