The recent update on the largest health sector data breach has revealed an expanded scope.

UnitedHealth Group reported that hackers compromised the records of approximately 190 million individuals during the attack on its Change Healthcare subsidiary last February. This new number is almost double the company’s earlier estimate of 100 million affected individuals.

The breach at Change Healthcare, which is owned by UnitedHealth, caused significant disruptions in the healthcare sector, leaving doctors and hospitals unable to process payments for weeks due to system outages. This incident impacts over half of all Americans, raising concerns about how their sensitive information might be exploited.

These extensive breaches, where personal identification, financial data, and health information are exposed, underscore the importance for consumers to remain “hypervigilant,” according to John Dwyer, director of security research at Binary Defense, a cybersecurity firm based in Stow, Ohio.

Given the wealth of information obtained, scammers could potentially misuse it to establish fraudulent credit cards or accounts in your name.

“The unfortunate reality today is that you need to take specific precautions to manage your digital risks,” Dwyer explained.

My health information was compromised in a breach. What steps should I take?

Typically, companies hit by hacks provide impacted customers with free credit monitoring services for a limited time. These services can notify you when someone opens a fraudulent account using your details.

In addition to creating an account with credit monitoring, individuals should take further measures to shield themselves from identity theft, advised Chris Pierson, CEO of BlackCloak, a cybersecurity company in Orlando focusing on personal digital security for high-profile clients.

You should reach out to the three major credit bureaus – Equifax, Experian, and TransUnion – to request a freeze on your credit. This action will mitigate the risk of criminals using your name, Social Security number, date of birth, or address to open a new credit card or account.

Be vigilant against phishing attempts via text, email, or phone calls. Skilled attackers may use your sensitive information—like the date of a medical appointment—to trick you into paying a fake medical bill, according to Pierson.

It’s also important to keep a close eye on your bank accounts, health savings accounts, or other financial records to promptly catch any unauthorized charges, Pierson added.

“Enhance your resilience against potential scam attacks by familiarizing yourself with the tactics these criminals might employ,” Pierson suggested.

What occurred during the UnitedHealth breach?

In February, hackers infiltrated the network of Change Healthcare, owned by UnitedHealth, in a ransom attack. Change Healthcare is recognized as the largest clearinghouse for medical payments in the country.

UnitedHealth reported that the majority of those affected by the breach have been notified. The exact number of impacted individuals will be finalized in an upcoming filing with the U.S. Department of Health and Human Services Office of Civil Rights.

HHS is responsible for investigating breaches that may violate health information privacy and security regulations and publicly discloses incidents affecting 500 or more individuals on its website.

“Change Healthcare is not aware of any misuse of personal information from this incident and has not detected any electronic medical record databases that appeared in the data during the review,” the company stated.

Consumers looking for details on credit monitoring and information regarding the attack can visit changecybersupport.com.

UnitedHealth indicated that the stolen information includes customers’ names, addresses, phone numbers, email addresses, and dates of birth. Other compromised data may consist of health insurance details, billing claims, and medical records, including diagnostic codes, medications, test results, images, and treatment data.

Following a lawsuit filed against Change Healthcare last December, Nebraska Attorney General Mike Hilgers remarked that the data breach “compromised the most sensitive privacy and financial data of Nebraskans” and halted insurance payments to healthcare providers. Nebraska has become the first state to initiate legal action against the company regarding this breach. In total, over forty lawsuits have been filed in relation to this incident.

The extent of the stolen information varied among individuals; while some records included Social Security numbers, in rare cases, bank data, payment card details, driver’s licenses, or other identification might have been compromised, according to the company.

Healthcare firms are increasingly vulnerable

Healthcare institutions, insurance providers, and hospitals have faced a rising number of cyberattacks from criminals demanding ransom payments in recent years. These attackers take control of the information systems of healthcare organizations and demand ransom to regain access.

Cybercriminals highly value healthcare data because it is generally more accurate than information obtained from other sources, Pierson noted.

“The data quality in the healthcare and finance sectors is superior,” Pierson explained.

Due to the high value of this data, healthcare organizations are at significant risk of cyber intrusions, according to Frank Balonis, chief information security officer at Kiteworks, a company in San Mateo, California specializing in secure data-sharing solutions.

Kiteworks assessed risk ratings for the top eleven hacks across all sectors last year based on factors such as the scale of the breach, financial impact, type of stolen data, and regulatory compliance. While other major breaches, such as those involving Ticketmaster and the pathology lab Synnovis, affected more individuals, they had a lower risk profile compared to the Change Healthcare breach, according to Kiteworks’ analysis.

Only the National Public Data breach—which involved a data aggregation service for background checks—had a risk score comparable to that of the Change Healthcare incident. The National Public Data breach exposed nearly 3 billion records, including names, email addresses, phone numbers, mailing addresses, and Social Security numbers.