Change Healthcare breach affected 100 million Americans, marking a new record

The Change Healthcare data breach in February affected 100 million Americans, the company told the Health and Human Services Department this week, making it the biggest breach of health care data ever reported to U.S. regulators.

The development is the latest ripple in what was already an unprecedented attack, one in which the company paid a $22 million ransom, resulted in estimated losses of more than $1 billion and attracted the attention of policymakers who have sought new rules for the industry.

Change Healthcare notified HHS about the updated number, with the company previously stating only that “a substantial proportion of people in America” were affected. HHS posted about the new figure it in its own update Thursday. HHS’s Office of Civil Rights is conducting an investigation of the breach.

The previous record for victims of a breach in the sector was the Anthem breach of 2015, which impacted nearly 79 million Americans and resulted in the company paying a $16 million settlement to HHS.

Change Healthcare has said the range of affected data could include contact information like name and phone number, health insurance details such as insurance company, billing and payment information, and other personal information like Social Security numbers.

The breach has inspired multiple proposed bills in Congress, including one to require minimum cybersecurity standards for providers, health plans and connected entities after a high-profile hearing on the breach. The White House also has said it’s been developing new cybersecurity rules for the sector.

Change Healthcare did not immediately respond to a request for comment but has reportedly said it is still in the final stages of its investigation.