UnitedHealth Still Notifying Patients of Data Breach a Year After Massive Hack
A year after a significant cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group, patients are still receiving notices about potential data breaches. The breach, which affected approximately one in two Americans, has prompted lawsuits and continues to cause concern.
By Christopher Snowbeck The Minnesota Star Tribune February 25, 2025
UnitedHealth Group has its headquarters at the Optum corporate campus in Eden Prairie. (Carlos Gonzalez/The Minnesota Star Tribune)
According to a recent review by the Minnesota Star Tribune, a patient in the Twin Cities received a notice this week indicating that their data “may have involved” in the breach. The notifications are largely consistent with those sent to patients since last summer.
It’s unclear precisely how many Minnesotans were affected by the breach, but data from Google Analytics show an uptick in website searches related to Change Healthcare across the state. A company spokesman did not indicate how many notices are being distributed this month.
The cyberattack was first disclosed by Eden Prairie-based UnitedHealth Group on February 22, 2024. The company revealed in January that the scope of the hack was more extensive than originally thought, affecting roughly 190 million patients – a substantial increase from the earlier estimate of 100 million.
“Mailings have been ongoing and will continue to go out to help ensure notification,” UnitedHealth Group stated in a Monday announcement.
The breach notification indicates that the potentially compromised data includes patient contact information, along with health plan ID numbers, patient diagnoses, and Social Security numbers.
UnitedHealth Group has offered free credit monitoring and identity protection services. The notice states: “On February 21, 2024, [Change Healthcare] found activity in our computer system that happened without our permission. We quickly took steps to stop that activity… On March 7, 2024, we learned a cybercriminal was able to see and take copies of some data in our computer system.”
In 2022, the Optum division of UnitedHealth Group acquired Change Healthcare for about $13 billion. This occurred despite antitrust concerns at the time.
Due to the cyberattack, which required the shutdown of a widely used data clearinghouse for processing claims, pharmacies and much of the national healthcare system were disrupted. The system processes medical claims for numerous health insurers, not just UnitedHealth’s UnitedHealthcare unit.
UnitedHealth Group reports it has since repaired the affected systems at Change Healthcare.
In December, the attorney general of Nebraska filed a lawsuit against the company, asserting that the cyberattack could have been prevented. Meanwhile, lawsuits filed by numerous patients and healthcare providers alleging negligence, unjust enrichment, and consumer protection violations have been combined in a multidistrict litigation proceeding in the U.S. District Court of Minnesota.
Defendants named in the lawsuits include UnitedHealth Group, Change Healthcare, and Optum.
In a February 19 notice to attorneys, U.S. District Judge Donovan Frank wrote, “In light of defendants’ anticipated motion to dismiss, the court finds there is good cause to delay the entry of a pretrial scheduling order.”
People who have been affected by the data breach can find advice from the Federal Trade Commission at IdentityTheft.gov/databreach. Information on how to respond is also available from credit bureaus such as Experian.
To enroll, people can use the link at changecybersupport.com or call toll-free 888-846-4705. For additional support from Change Healthcare, consumers can call toll-free 866-262-5342.
