Two of UnitedHealth Group's subsidiaries were hit by ransomware within roughly a year of each other, and the combined reach touches close to 200 million Americans, according to Security.org's breach guide (security.org). If you have seen a doctor in the past few years, there is a real chance your data was caught up in it.
What actually happened
There were two separate incidents, both under the UnitedHealth Group umbrella and both involving its Optum division.
The big one hit Change Healthcare, one of the largest healthcare clearinghouses in the country. It processes roughly 15 billion transactions a year and touches about one in three U.S. patient records, according to the American Hospital Association (aha.org). On February 12, 2024, attackers tied to the ALPHV/BlackCat ransomware group got in through a remote-access portal that had no multi-factor authentication, then spent nine days inside the network before deploying ransomware on February 21 (security.org). UnitedHealth Group's CEO later told Congress the entry point lacked multi-factor authentication (Senate Finance Committee testimony, PDF). Senator Ron Wyden's summary, as reported by Security.org, was blunt: "This hack could have been stopped with cybersecurity 101."
The company paid a $22 million ransom in Bitcoin in exchange for a promise to delete the stolen data (security.org). The promise was worthless. The criminal group took the money and disappeared, and the stolen files resurfaced in a second extortion campaign anyway. Patient data began showing up on dark web leak sites regardless of the payment.
The final count, reported to the U.S. Department of Health and Human Services, reached 192.7 million people as of July 31, 2025, which makes it the largest healthcare data breach ever recorded in the United States (Paubox, Tom's Guide).
Then it happened again. Episource, a medical coding company also owned by Optum, detected an intrusion on February 6, 2025. The HHS breach portal lists 5,418,866 people affected (security.org).
What was exposed
The data varied person to person, but across the two breaches it included names, addresses, dates of birth, phone numbers, health insurance and policy details, Medicare and Medicaid ID numbers, and protected health information such as diagnoses, medications, test results, and medical record numbers. Social Security numbers were involved for some people, and payment card or banking details in a limited number of cases (security.org).
Change Healthcare has said Social Security numbers were not part of the exposed data for most affected people (security.org). That is small comfort. A file that ties your name and address to your diagnoses, your medications, and your insurance IDs is a detailed portrait of your life, and it is exactly the raw material a scammer uses to sound convincing when they call you.
Financial details are not the only data worth protecting
Most people know to watch their bank accounts and freeze their credit. Health and insurance information gets far less attention, and criminals count on that. Diagnoses, medications, insurance policy numbers, and Medicare or Medicaid IDs were exactly the kind of data exposed in these breaches, and that information is enough to file fraudulent claims, make a scam call sound legitimate, or open the door to medical identity theft.
Data from breaches like these does not sit still either. It gets bought, combined, and resold along with other data you may have exposed on data broker sites (name, phone number, email, etc.). That is the layer that makes the next scam call sound like it comes from someone who already knows you.
A breach this size is unsettling. With the right monitoring and coverage in place, you do not have to carry that worry on your own, and that is what Papaya Privacy is built for. You can add your medical IDs, insurance details, and other sensitive information to be monitored, so if any of it surfaces in a breach or on the dark web, you find out right away. Papaya Privacy also scans 350+ data broker and people-search sites and sends removal requests to get your information taken down, and it backs everything with $1 million in identity theft insurance and hands-on restoration support. Good peace of mind, instead of a running list of things to worry about.
