Why is the Change Healthcare breach considered so significant?

It is the largest healthcare data breach in recorded history, exposing the personal and health information of 192.7 million individuals—more than half the U.S. population—in a single attack.

What role does Change Healthcare play in the U.S. healthcare system?

It is a central clearinghouse that processes billing and insurance transactions for thousands of hospitals, clinics, pharmacies, and insurers, giving it access to a vast cross-section of patient data.

How were the attackers able to compromise so many records?

Attackers breached Change Healthcare’s network, moved laterally through internal systems, exfiltrated sensitive data, and then deployed ransomware, tapping into a central repository that connected many healthcare entities.

What kind of data was stolen in the breach?

The stolen data includes health records, insurance details, and personal identifiers, creating a uniquely dense combination of medical, financial, and personal information.

Why are healthcare organizations frequently targeted by cybercriminals?

Health records are highly valuable on the black market, and many healthcare organizations operate on thin margins with legacy infrastructure, making them persistently vulnerable to attacks.

Change Healthcare's 192.7M-Record Breach: What It Means for Patient Privacy

The numbers are difficult to wrap your head around. In 2024, a ransomware attack on Change Healthcare, a clearinghouse that processes billing and insurance transactions for a significant portion of the U.S. healthcare system, resulted in the theft of personal and health information belonging to 192.7 million individuals. That single healthcare data breach now stands as the largest in recorded history, surpassing every previous incident by an enormous margin.

For context, that figure represents more than half the population of the United States. It didn't come from dozens of separate incidents over a year. It came from one attack, on one company, that sat at the center of an interconnected web of healthcare providers, insurers, and patients.

How One Attack Reached 192.7 Million People

Change Healthcare's role in the U.S. healthcare system made it an extraordinarily high-value target. As a clearinghouse, it processed claims and transactions connecting thousands of hospitals, clinics, pharmacies, and insurers. When attackers breached its network, they didn't just access one organization's data. They accessed a central repository touching an enormous cross-section of the entire healthcare industry.

The breach followed a pattern common in large-scale ransomware incidents: attackers gained initial access, moved laterally through internal systems, identified and exfiltrated sensitive data, and then deployed ransomware to disrupt operations. The operational disruption alone caused cascading problems across the healthcare sector, with providers unable to process claims for weeks. But the longer-lasting damage is the exposure of health records, insurance information, and personal identifiers for nearly 193 million people.

This kind of third-party vendor risk is not unique to Change Healthcare. The TriZetto breach, which exposed 3.4 million patient records, followed a similar pattern, where attackers targeted a health technology intermediary rather than a hospital directly. When a single vendor serves hundreds of healthcare clients, one successful intrusion can ripple outward to affect millions of people who never directly interacted with the breached company.

Why Healthcare Is a Persistent Target

Healthcare organizations have become among the most frequently breached sectors for several interconnected reasons. Health records contain a uniquely dense combination of personal, financial, and medical information, making them more valuable to criminals than standard financial records. At the same time, many healthcare organizations operate on thin margins, rely on legacy infrastructure, and face regulatory and operational pressures that can slow security improvements.

The scale of the Change Healthcare breach is extreme, but the frequency of healthcare data breaches is not unusual. Incidents affecting large patient populations have been logged consistently in recent years, from large public health systems to smaller specialty providers. The NYC Health and Hospitals breach, which exposed 1.8 million fingerprints, illustrates how even biometric data held by public institutions can be compromised when a third-party vendor's network is insufficiently secured.

The pattern across these incidents is consistent: attackers find a weak point, often through compromised credentials, unpatched systems, or insufficiently secured remote access, and then move through networks that weren't built to contain a determined intruder.

What This Means For You

If you received care in the United States at any point before or during 2024, there is a meaningful chance your information was among the records exposed in the Change Healthcare breach. The affected data reportedly includes names, addresses, Social Security numbers, insurance information, and in many cases detailed medical records.

For patients, that means the risk isn't just identity theft. It includes the potential for insurance fraud, targeted phishing attacks using personal health details, and the long-term exposure of sensitive medical history. Health information, unlike a credit card number, cannot be changed.

For healthcare workers and administrators, the breach is a pointed reminder that the security of patient data depends not just on their own organization's defenses but on every vendor and partner connected to their systems. Breaches linked to third-party vendors continue to account for a significant share of healthcare incidents, and the Change Healthcare case raises urgent questions about how thoroughly those relationships are vetted and monitored.

For healthcare organizations specifically, the breach highlights several concrete areas worth reviewing:

Third-party access controls: Vendors with access to internal systems should face the same scrutiny as internal users, including strict credential policies and network segmentation that limits how far any single access point can reach.
Remote access security: VPNs with enforced multi-factor authentication are a baseline protection for remote access to internal systems. The Change Healthcare breach illustrates that compromised credentials can be an entry point, but a VPN alone is not a complete defense. It needs to be paired with segmentation, monitoring, and response capabilities.
Data minimization: Organizations should audit what data they share with third-party vendors, retaining and transmitting only what is operationally necessary.

It is worth being clear about what security tools like VPNs can and cannot do. VPNs protect the channel through which data travels, particularly for remote workers accessing clinical systems or for telehealth communications that need to remain private. They are a meaningful layer of protection for healthcare workers operating outside a clinical network. But the Change Healthcare breach was not primarily a remote-access security failure. It involved deeper systemic issues around network architecture and lateral movement, problems that require layered defenses well beyond any single tool.

Actionable Takeaways

If you believe your data may have been affected by the Change Healthcare breach or any similar incident, there are concrete steps worth taking. Monitor your health insurance statements for claims you don't recognize. Place a fraud alert or credit freeze with the major credit bureaus. Be alert to phishing attempts that use personal health details to appear legitimate.

For healthcare professionals and administrators, the lesson from 2024's record-breaking breach is that vendor relationships are security relationships. Every third-party connection to a clinical network is a potential entry point that deserves rigorous, ongoing evaluation. The scale of what happened at Change Healthcare reflects not just one company's vulnerabilities, but the risks that come with building an industry on tightly interconnected, insufficiently hardened infrastructure. Addressing those risks requires investment in security at every link in the chain, not just at the most visible ones.