On January 24, 2025, UnitedHealth Group filed an updated notification with the US Department of Health and Human Services Office for Civil Rights, raising the count of people affected by the February 2024 ransomware attack on its Change Healthcare subsidiary from an October 2024 estimate of 100 million to approximately 190 million. By July 31, 2025, Change Healthcare further updated the notification to 192.7 million individuals, making the incident the largest HIPAA-regulated data breach in United States history. The original intrusion is well documented — ALPHV/BlackCat affiliates entered through a Citrix portal lacking MFA on February 12, 2024, deployed encryption on February 21, and forced UnitedHealth to pay 22 million dollars before a successor extortion attempt from RansomHub followed in April. The 2025 update is less about new attacker tradecraft and more about what happens when a single clearinghouse holds claims data for the majority of US insured lives. The 90-million-person upward revision over a three-month window is itself a structural finding: the supplier-concentration problem in US healthcare is so severe that determining which patients were affected required almost a year of forensic data classification.
Why did the count jump from 100 million to 190 million?
UnitedHealth's October 2024 estimate was a working figure based on the volume of data identifiable as personal information at that point in the forensic review. The January 2025 revision reflected completion of the document review across approximately 4 terabytes of stolen content. Change Healthcare's role as a clearinghouse means it processed claims, eligibility checks, electronic remittances, and provider statements on behalf of hospitals, payers, pharmacies, and ambulance services across the entire US healthcare ecosystem. As the data classification pipeline ran, more individuals appeared in more historical claim records than the early sampling implied. The 192.7 million figure filed in July 2025 captured residual de-duplication after notifications were issued.
What did the attackers actually access?
Per UnitedHealth's regulatory filings and the HHS OCR notice, the exposed data spans health-insurance identifiers, claim and remittance content, billing and payment information, Social Security numbers and Tax IDs, driver's licence numbers, and detailed health information including diagnoses, services, treatment, prescriptions, and provider notes. For a non-trivial subset of affected individuals, the exfiltrated data also includes financial-account numbers and limited test-result content. Two ransom payments by Optum did not prevent some downstream re-extortion: in April 2024, RansomHub claimed to still hold a copy of the stolen data, a claim that aligns with affiliate behaviour following the FBI takedown of ALPHV's leak infrastructure in late 2023.
How long were they inside?
ALPHV/BlackCat affiliates accessed Change Healthcare's Citrix environment on February 12, 2024 using stolen credentials. The actor moved laterally, harvested additional credentials, and exfiltrated data through February 20. Encryption fired on February 21, 2024. Total dwell time before destructive action was nine days, consistent with the published ALPHV affiliate playbook and short relative to typical healthcare-sector dwell times that often exceed two weeks. The brevity of the dwell period reflects both the affiliate's efficiency and the absence of telemetry that would have surfaced the lateral movement and exfiltration phases. The recovery tail, however, has been much longer. Change Healthcare's electronic claims and payment platform remained partially degraded into late spring 2024, with cash-flow loans extended to providers reaching billions of dollars. The notification tail — the period between encryption and individual breach letters — ran nearly 16 months end-to-end.
What did existing controls miss?
Three control gaps are now part of public record from Andrew Witty's testimony to the US Senate Finance Committee and the House Energy and Commerce Committee. First, the Citrix Gateway used for initial access did not enforce MFA. UnitedHealth committed to remediation immediately, but the gap at time of breach was the single most consequential control failure. Second, segmentation between the Change Healthcare environment and other UnitedHealth subsidiaries was insufficient to prevent the breach blast radius from threatening Optum and the rest of UnitedHealth Group. Third, supplier-side visibility for the thousands of provider organisations that fed claims into Change Healthcare was effectively zero. Hospitals could not enumerate what claims data Change held about their patients, which made the notification timeline brutal.
# Compensating-control baseline for healthcare clearinghouse integrations
clearinghouse_minimum_controls:
authentication:
phishing_resistant_mfa: required
legacy_basic_auth: blocked
saml_certificate_lifetime_days: 90
network:
inbound_ip_allowlist: required
site_to_site_vpn_only: preferred
citrix_gateway_external_exposure: blocked
data_handling:
encryption_at_rest: required
encryption_in_transit_tls_1_3: required
data_minimisation_phi_attributes: enforced
observability:
failed_auth_alerting: required
impossible_travel_detection: required
siem_log_retention_days_minimum: 365
contractual:
breach_notification_hours: 72
forensic_report_sharing: required
sub_processor_disclosure: required
What should healthcare defenders do now?
Six steps. First, map every clearinghouse, payer, and revenue-cycle-management provider that holds PHI on your patients, and require each to attest to phishing-resistant MFA on every privileged access path. Second, demand a current SOC 2 Type II and a HITRUST CSF report from every clearinghouse, and read the bridge letters during procurement. Third, build a data-minimisation review for the claims attributes you send to each clearinghouse: the breach exposed lab and diagnosis data because clearinghouses receive far more than billing requires. Fourth, exercise a clearinghouse-down scenario quarterly with cash-flow modelling and manual claims fallback procedures. Fifth, push your state attorney general and Congress on the HIPAA Security Rule NPRM published in late 2024 — the proposed rule formalises MFA and encryption requirements for all PHI access. Sixth, integrate CISA KEV with your medical-device and clinical-software inventory so that another ALPHV-class disclosure surfaces every Citrix, Fortinet, or VPN appliance across the supply chain inside one console.
What regulatory follow-on has the breach triggered in 2025?
Three major regulatory threads are active. First, the HHS Office for Civil Rights opened a formal investigation under the HIPAA Breach Notification Rule and the HIPAA Security Rule, with potential civil monetary penalties scaling against the 192.7 million-person count. Second, the US Department of Health and Human Services published a Notice of Proposed Rulemaking in December 2024 to update the HIPAA Security Rule for the first time since 2013, with provisions explicitly addressing MFA, encryption at rest, and supplier-management controls — provisions that draw heavily on Change Healthcare lessons. Third, state attorneys general including Nebraska filed civil suits against Change Healthcare with the Nebraska case surviving a motion to dismiss in late 2025; the lawsuits seek treble damages and injunctive relief covering data-handling controls. Congressional oversight has continued: the Senate Finance Committee held repeated hearings in 2024 and 2025, the Energy and Commerce Committee published staff reports on supplier concentration risk, and individual senators introduced legislation that would require HHS to designate clearinghouses as systemically important and subject them to OCC-style stress testing. Healthcare defenders should expect continuing regulatory pressure throughout 2026.
How Safeguard Helps
Safeguard maps every healthcare clearinghouse, payer, and revenue-cycle vendor against the SBOM and CVE footprint of their integration touch-points with your environment, so a Citrix or VPN-appliance disclosure surfaces every Change Healthcare-class supplier exposed in minutes. Griffin AI reachability analysis flags where MFA is enforced versus inherited from a permissive policy, and where PHI data flows from your environment exceed what billing actually requires. TPRM workflows score clearinghouses against HITRUST, SOC 2, and the proposed 2025 HIPAA Security Rule, and require contractual 72-hour notification SLAs with sub-processor disclosure. Policy gates block new clearinghouse integrations that do not meet a minimum maturity baseline, and ingest ALPHV, RansomHub, and BlackCat-successor IOCs continuously so that responders working on a downstream impact see one prioritised view — not the 16-month notification slog that hospitals lived through after February 2024.