A cyberattack on Change Healthcare first detected in February 2024 has ballooned into what may be the largest health data breach in U.S. history, exposing approximately 190 million people's personal information. UnitedHealth Group, Change Healthcare's parent company, disclosed that attackers exploited a Citrix portal lacking multifactor authentication to gain initial access before deploying ransomware nine days later.

CEO Andrew Witty told Congress the company paid a $22 million ransom to restore systems, a decision that drew sharp criticism from lawmakers who warned it would incentivize future attacks. The breach dwarfs previous federal incidents like the 2015 OPM hack, which affected 21 million people, and has raised questions about how a company processing roughly a third of all U.S. health claims could leave such a critical access point unprotected.

The stolen data includes health records, insurance details, and payment information tied to routine medical care, creating dual risks of financial fraud and medical identity theft that can take years to detect. Regulators and lawmakers are signaling this incident will serve as a test case for how aggressively the government will police cyber risk in critical health infrastructure, with both parties pressing for clearer requirements around multifactor authentication and rapid breach notification.