UnitedHealth Concealed Major Data Breach Impacting Millions
Minneapolis, Wednesday, 15 January 2025.
UnitedHealth reportedly hid a data breach affecting over 100 million Americans, raising serious concerns about healthcare data security and transparency with regulators and patients.
Scale and Timeline of the Breach
UnitedHealth Group’s subsidiary, Change Healthcare, experienced what is being classified as the largest known theft of medical data in U.S. history [1]. The ransomware attack, which occurred in February 2024, impacted over 100 million Americans, with the company only revealing the full scope of the breach to the U.S. government’s health department in October 2024 [1]. The company’s delayed response has drawn significant criticism, as Change Healthcare waited four months after receiving the stolen files before beginning to notify affected individuals [1].
Response and Regulatory Concerns
The healthcare giant has faced mounting pressure from state regulators, with several states including California, Massachusetts, Nebraska, and New Hampshire stepping in to alert their residents about potential identity theft and fraud risks [1]. Notably, Nebraska took legal action against Change Healthcare in December 2024 over security failings related to the breach [1]. Change Healthcare has reportedly ‘substantially’ completed notifying affected individuals as of January 14, 2025 [1], though questions remain about the company’s ability to reach all impacted parties due to insufficient contact information [1].
Transparency Issues
Adding to the controversy, UnitedHealth’s handling of the breach notification has raised serious transparency concerns. When questioned about the specific number of individuals notified, UnitedHealth spokesperson Tyler Mason was unable to provide details beyond the estimated 100 million figure previously shared with government authorities [1]. The company has also faced scrutiny over its use of hidden ‘noindex’ code in the breach notice, a technical detail that could potentially limit public access to this critical information [1].
Remediation Efforts
In response to the breach, Change Healthcare has been providing resources for protecting affected individuals’ privacy [7]. The company has implemented a notification process that began in July 2024 and has continued with multiple rounds of notices sent to affected customers throughout the latter half of 2024 [7]. The company has confirmed it does not expect to identify additional affected customers beyond those already identified [7].