Change Healthcare Data Breach Exposed Personal Information of Over 192 Million People

Healthcare technology provider Change Healthcare said the data security incident it suffered last year compromised the sensitive personal data of more than 192 million individuals.

 

In February last year, Change Healthcare said it experienced enterprise-wide connectivity issues due to which certain applications were not functioning. The company later said the outage occurred due to a “cyber security issue” that affected virtually the entire healthcare system in the US.

 

The BlackCat ransomware group claimed responsibility for the attack and reportedly extracted £18.3 million from Change. The group said it took 6TB of data from the company’s systems, including the data of all the company’s clients.

 

While Change Healthcare did not comment on the reports of paying the ransom, another group of threat actors using the pseudonym "RansomHub" announced that it also stole 4 terabytes of data from the company. It said the stolen data included personally identifiable information of active US military personnel and other patients, medical records, payment information, and more.

 

In a filing with the U.S. Department of Health and Human Services Office for Civil Rights, on July 19, 2024, Change Healthcare said it had identified 190 million individuals impacted by the incident.

 

However, in a recent notice filed with the Office of New Hampshire Attorney General, Change said that the company has completed its investigation and has been notifying affected individuals About the incident.

 

“As of July 31, 2025, Change Healthcare estimates that approximately 192.7 million individuals have been potentially impacted by this security incident. Of this total, approximately 1.3 million individuals were attributed solely to entities that did not delegate regulator notification to Change Healthcare,” reads the filing with the Attorney General’s office.

 

“As of July 31, 2025, Change Healthcare estimates there are approximately 655,282 unique individuals who were potentially impacted with mailing addresses in New Hampshire. Of this total, approximately 1,252 individuals were attributed solely to entities that did not delegate regulator notification to Change Healthcare,” the company added.