A recent update from Change Healthcare estimates that around 190 million individuals were impacted by the cyberattack occurring in 2024. This number nearly doubles the previous estimate and may include data such as: 

• First and last name 
• Address
• Email address
• phone number 
• Health insurance information
• Medical information 
• Billing and claims information

Below, security leaders discuss the implications of this update. 

Security leaders weigh in 

Mr. Piyush Pandey, CEO at Pathlock:

As this incident demonstrates, data breaches involving sensitive data, such as patients' health insurance information, medical records, billing and payment information, as well as sensitive personal information, can have far-reaching implications. Currently, HIPAA does not strictly require healthcare organizations to enforce multi-factor authentication (MFA), however, the Change Healthcare ransomware attack clearly demonstrates how not having MFA greatly increases risk and can lead to disastrous consequences. Lawmakers should introduce more stringent compliance requirements in this area, and not only require MFA, but also mandate that organizations invest in processes for proactive visibility into who has access to what and implement continuous access controls monitoring so they can prevent such attacks from spreading across their entire organization.

Darren Guccione, CEO and Co-Founder at Keeper Security:

The revelation that 190 million Americans were affected by the Change Healthcare ransomware attack is a stark reminder of the magnitude of modern cyber threats. This update also underscores the complex and prolonged nature of investigating incidents like these. The sheer volume of sensitive personal and healthcare data stolen highlights the critical need for more robust cybersecurity measures across the healthcare sector. 

Determining the true impact of an attack of this scale often takes months or even years as organizations must uncover the full extent of data exposure, verify the accuracy of the breach reports and navigate evolving regulatory requirements. Threat actors complicate this, using sophisticated tactics to prolong detection and response times.

This incident reinforces the importance of adopting proactive cybersecurity measures. Prioritizing robust encryption, a zero-trust architecture and employee training can minimize exposure to risks. A privileged access management solution is critical to protect access to an organization’s most sensitive assets. This breach also serves as a wake-up call for individuals to protect their data by vigilantly monitoring for suspicious activity and enabling strong account protections. The scale of this breach demands a systemic overhaul of how healthcare organizations manage and secure the sensitive information they hold.