UnitedHealthcare Data Breach: 6 Things Victims Must Do
In February 2024, hackers broke into Change Healthcare — a payment processing subsidiary of UnitedHealth Group — and walked out with the personal and medical records of an estimated 190 million Americans. That number, confirmed by UnitedHealth Group in early 2025, makes this the largest healthcare data breach in U.S. history. If you have ever filed a health insurance claim, filled a prescription, or visited a doctor who used Change Healthcare’s systems, your data may be exposed.
The unitedhealthcare data breach did not just expose names and email addresses. Attackers accessed Social Security numbers, diagnosis codes, treatment histories, prescription records, and payment information — the kind of data that enables identity theft for years, not weeks.
Here is exactly what happened, who is at risk, and the six specific steps you need to take right now.
Table of Contents
Key Takeaways
- The UnitedHealthcare data breach exposed up to 190 million Americans’ medical and financial records — the largest healthcare breach on record.
- Stolen data includes Social Security numbers, diagnoses, prescriptions, and payment details — high-value material for identity thieves.
- Six concrete actions — from credit freezes to medical record audits — can significantly reduce your risk right now.
- Federal investigations are ongoing, and victims may have legal remedies available, including potential settlements.
What Actually Happened: The Change Healthcare Attack Explained
On February 21, 2024, a ransomware group called ALPHV/BlackCat gained access to Change Healthcare’s systems using stolen credentials. There was no multi-factor authentication protecting the entry point — a basic security gap that allowed attackers to move freely through the network for days.
Change Healthcare processes roughly 15 billion healthcare transactions annually, touching one in three patient records in the United States. When the attack hit, pharmacies could not process prescriptions, hospitals could not verify insurance, and providers went weeks without payment. The change healthcare cyber attack impact was not just a data problem — it was a full operational crisis for the American healthcare system.
UnitedHealth Group reportedly paid a $22 million ransom to ALPHV/BlackCat. A second affiliate group then threatened to release the data anyway, demanding additional payment. The company has since spent over $3 billion addressing the fallout, according to its 2024 financial disclosures.
Who Is at Risk From the UnitedHealthcare Data Breach?
The scope here is genuinely staggering. You do not need to be a UnitedHealthcare insurance member to be affected. If your doctor, pharmacy, hospital, or specialist used Change Healthcare’s billing and payment systems at any point — and most did — your records were likely in those systems.
According to the U.S. Department of Health and Human Services, Change Healthcare processes claims for nearly half of all Americans each year. That means people covered by employer plans, Medicaid, Medicare Advantage, and private insurance policies from dozens of different carriers are all potentially in the exposed dataset.
The data stolen includes a particularly dangerous combination: Social Security numbers paired with detailed medical histories. That pairing enables medical identity theft — where criminals use your identity to obtain prescriptions, file false insurance claims, or receive medical services billed to your insurance. This type of fraud is significantly harder to detect than financial identity theft.
The 6 Things Victims of the UnitedHealthcare Data Breach Must Do
1. Freeze Your Credit at All Three Bureaus
A credit freeze is the single most effective tool available to breach victims. It prevents anyone — including identity thieves with your Social Security number — from opening new credit accounts in your name. It is free, and it does not affect your credit score.
You need to freeze with all three major bureaus separately: Equifax, Experian, and TransUnion. Do not stop at one. In our experience reviewing breach response cases, victims who froze only one or two bureaus still had fraudulent accounts opened through the unfrozen bureau.
Also freeze with lesser-known data brokers like ChexSystems (used by banks) and NCTUE (used by utility companies). Attackers with healthcare data often target utility and telecom accounts first because victims rarely monitor them.
2. Request Your Medical Records and Check for Errors
Medical identity theft is the underreported cousin of financial identity theft. Under HIPAA, you have the right to request a complete copy of your medical records from every provider you have visited. Request them, then read them carefully.
Look for procedures you did not have, prescriptions you did not receive, or diagnoses that do not match your actual history. One real-world pattern we have tracked: fraudulent prescriptions for controlled substances filed under victims’ identities, which can corrupt their medical records and affect future treatment decisions.
Also request your insurance Explanation of Benefits (EOB) statements going back 12 to 24 months. Any claim you do not recognize is a red flag worth investigating immediately.
3. Enroll in the Free Credit Monitoring UnitedHealth Is Offering
UnitedHealth Group is providing two years of free credit monitoring and identity protection services to affected individuals through Experian IdentityWorks. Enrollment is available at the dedicated breach response site the company set up. Do not ignore this — the service includes dark web monitoring, which can alert you if your data surfaces on criminal forums.
That said, credit monitoring is reactive, not preventive. It tells you after something has happened. Treat it as an early warning system, not a complete solution. Pair it with the credit freeze mentioned above.
If you are unsure whether you qualify, call UnitedHealth’s dedicated breach support line at 1-800-424-9069. As of 2026, the enrollment window remains open, though deadlines have shifted — check the current status directly.
4. File an Identity Theft Report If You Spot Fraud
If you discover any fraudulent activity — new accounts, false medical claims, unauthorized prescriptions — file an identity theft report at IdentityTheft.gov immediately. The FTC’s platform walks you through a personalized recovery plan and generates official documentation you will need when disputing fraudulent accounts.
For medical identity theft specifically, also file a complaint with your state’s insurance commissioner and notify the provider whose name was used in the fraudulent claim. Providers have a legal obligation to investigate and correct records under HIPAA.
Keep every document, every reference number, and every communication. If a class action settlement emerges — and given the scale of this breach, litigation is already underway — documented fraud strengthens your claim considerably. For context on how breach settlements work, see our breakdown of the Capital One data breach settlement process, which shares structural similarities with what victims here may eventually face.
5. Change Passwords and Enable MFA on Health Portals and Financial Accounts
The irony of this breach is that it was enabled by the absence of multi-factor authentication on Change Healthcare’s systems. Do not make the same mistake with your own accounts. Enable MFA on every patient portal, insurance account, pharmacy app, and financial account you use.
Use an authenticator app — Google Authenticator, Authy, or Microsoft Authenticator — rather than SMS-based codes. SMS-based MFA is vulnerable to SIM-swapping attacks, which are increasingly common when attackers have your phone number and personal details (both of which were exposed here).
Also change any password you have reused across multiple sites. If your MyChart password is the same as your bank password, a credential stuffing attack can chain those breaches together. A password manager like Bitwarden or 1Password makes this manageable without relying on memory. For a full guide on securing your accounts after a breach, see our post-breach account security checklist.
6. Watch for Targeted Phishing Using Your Own Medical Data
This is the step most breach response guides skip, and it may be the most important one in this specific case. Because the stolen data includes diagnosis codes and prescription histories, attackers can craft phishing emails that reference your actual medical conditions. That level of personalization makes the scam far more convincing.
We have already seen reports of phishing campaigns using healthcare data from this breach — emails claiming to be from pharmacies about prescription refills, or from insurers about claim disputes, that include enough accurate personal detail to bypass the victim’s skepticism.
The rule: never click a link in an unsolicited health-related email, even if it looks legitimate. Go directly to the provider’s official website by typing the address yourself. Call the number on your insurance card, not the number in the email.
The Regulatory and Legal Fallout
The HHS Office for Civil Rights launched a formal investigation into the UnitedHealthcare data breach in October 2024, specifically examining whether Change Healthcare violated HIPAA’s Security Rule by failing to implement adequate safeguards — including, notably, multi-factor authentication. That investigation is ongoing as of 2026.
Multiple state attorneys general have also opened investigations. According to the American Hospital Association, the change healthcare cyber attack impact caused an estimated $1.9 billion in disruption costs to hospitals and health systems in the first months alone — a figure that does not include downstream effects on patients or providers.
Class action lawsuits have been consolidated in federal court. While no settlement has been finalized, the scale and severity of the breach make some form of victim compensation likely. Documenting your losses now — time spent on fraud resolution, any out-of-pocket costs, documented harm — positions you to participate if a settlement is reached.
Why Healthcare Breaches Are More Dangerous Than Financial Ones
A stolen credit card number gets canceled and replaced. A stolen medical record cannot be unwritten. According to the IBM Cost of a Data Breach Report 2024, healthcare breaches cost an average of $9.77 million per incident — nearly three times the cross-industry average — precisely because the data is so sensitive and the consequences so long-lasting.
Medical identity theft takes an average of over a year to detect, according to the Medical Identity Fraud Alliance. In that time, false claims can accumulate, prescription histories can be corrupted, and victims can face denied coverage or incorrect treatment based on fraudulent records in their name.
The UnitedHealthcare data breach sits at the worst possible intersection: financial data and medical data, combined, at massive scale. Treat the response with the seriousness that combination demands.
What UnitedHealth Group Has Done — and What It Has Not
UnitedHealth Group has invested heavily in remediation — rebuilding Change Healthcare’s systems, offering free monitoring, and cooperating with federal investigations. CEO Andrew Witty testified before Congress in May 2024, acknowledging the MFA failure and committing to security upgrades across the enterprise.
What has not happened: a clear, direct notification to every affected individual. The breach notification process has been criticized for being slow and incomplete. Many victims learned about the breach from news coverage, not from UnitedHealth directly. If you have not received a notification letter, that does not mean you are safe — it may simply mean your notification has not arrived yet.
Check the breach lookup tool at UnitedHealth’s dedicated response page and contact your insurance provider directly if you are uncertain about your exposure status.
Frequently Asked Questions About the UnitedHealthcare Data Breach
How do I know if I was affected by the UnitedHealthcare data breach?
UnitedHealth Group has been sending breach notification letters to affected individuals, but the process has been slow. If you have received healthcare services in the United States in recent years and your provider used Change Healthcare’s billing systems — which most did — assume you may be affected. Use UnitedHealth’s breach response site or call 1-800-424-9069 to check your status directly.
What specific data was stolen in the Change Healthcare attack?
The stolen data includes names, addresses, dates of birth, Social Security numbers, health insurance member IDs, diagnosis and condition codes, prescription information, treatment details, and in some cases payment and banking information. The exact data varies by individual depending on what was in Change Healthcare’s systems for that person.
Will there be a settlement for UnitedHealthcare data breach victims?
Class action litigation is actively underway as of 2026, consolidated in federal court. No settlement has been finalized yet, but given the scale of the breach and the documented harm to millions of Americans, legal experts widely expect some form of compensation to be available. Document any fraud, financial loss, or time spent on remediation now — that documentation will matter if a settlement is reached.
Is the free credit monitoring from UnitedHealth enough protection?
No. Credit monitoring alerts you after fraud has occurred — it does not prevent it. The most effective protective step is a credit freeze at all three major bureaus, which blocks new credit applications entirely. Use the free monitoring as one layer of a broader response that also includes the credit freeze, MFA on all accounts, and regular review of your medical records and insurance statements.
Can I sue UnitedHealth Group over this breach?
Individual lawsuits are possible, but most victims will be best served by the consolidated class action already in progress. If you have suffered documented, specific financial harm — fraudulent accounts, out-of-pocket losses from medical identity theft, costs of remediation — consult a consumer protection or data breach attorney about your options. Many work on contingency for breach cases. You can also monitor the class action docket for updates on how to register as a class member when that process opens.