Yes, the Change Healthcare data breach class action confirms that medical records, payment information, and personal identifiers for 192.7 million individuals were compromised in what became the largest data breach ever reported in the United States. The breach, announced on February 21, 2024, exposed sensitive health information including diagnoses, medications, test results, Social Security numbers, bank account details, and claim information belonging to nearly two-thirds of all Americans. For example, a patient seeking treatment for a specific condition would have had their complete medical history, along with their financial account numbers and insurance details, stolen and potentially sold to third parties. Change Healthcare, which processes approximately 50 percent of all medical claims in the United States, suffered a devastating ransomware attack that disrupted operations nationwide and exposed the healthcare records system to criminal exploitation.
The BlackCat ransomware group claimed responsibility for the attack, and Change Healthcare paid a $22 million ransom to address the breach. As of June 2026, approximately 78 lawsuits have been consolidated into a Multi-District Litigation (MDL) proceeding in the U.S. District Court for the District of Minnesota, with litigation still in the pretrial phase and no final settlement approved. This ongoing legal action represents one of the largest coordinated class actions in healthcare history, with projected settlement estimates ranging from $1 billion to $5 billion.
Table of Contents
- What Data Was Stolen in the Change Healthcare Breach?
- How Did BlackCat Access Change Healthcare’s Systems?
- Who Is Eligible to Claim in the Change Healthcare Class Action?
- What Are the Estimated Settlement Payouts?
- What Harm Must You Prove to Recover Damages?
- How Does This Compare to Other Major Healthcare Data Breaches?
- What Is the Current Status and Timeline of the Litigation?
- Conclusion
What Data Was Stolen in the Change Healthcare Breach?
The Change healthcare breach exposed three categories of highly sensitive information that criminals can use for identity theft, medical fraud, and financial crimes. Medical records stolen included complete diagnoses, treatment plans, medications prescribed, laboratory test results, medical record numbers, and healthcare provider information. Payment and financial data compromised in the breach encompassed insurance claim numbers, account numbers, billing codes, payment card information, and banking details—the exact information fraudsters need to open accounts or make unauthorized charges.
The breach also exposed personal identifiers such as names, addresses, Social Security numbers, dates of birth, and health insurance member IDs. A comparison illustrates the severity: a typical identity theft breach might compromise a Social Security number alone, while the Change Healthcare breach gave criminals a complete profile combining medical history, financial accounts, and identity markers. Researchers estimate that up to 6 terabytes of data were stolen during the attack. The combination of medical and financial information in a single breach creates what security experts call a “perfect storm” for fraud, as criminals can use the health insurance details to file false claims while simultaneously accessing banking information to intercept funds.
How Did BlackCat Access Change Healthcare’s Systems?
The exact technical pathway BlackCat used to penetrate Change Healthcare’s network has not been fully disclosed in public filings, though the attack exploited vulnerabilities in the company’s infrastructure to achieve widespread system access. What is known is that the ransomware group gained sufficient access to encrypt critical systems, causing operational disruption that forced Change Healthcare to shut down major processing functions. The company’s inability to process claims in real time created a cascading crisis affecting hospitals, pharmacies, and healthcare providers nationwide who depend on Change Healthcare’s infrastructure to submit and manage insurance claims.
One important limitation in the public understanding of this breach is that Change Healthcare has not released a comprehensive technical postmortem explaining precisely which security controls failed. The company maintained security certifications and compliance with HIPAA standards prior to the breach, yet the attack still succeeded at an unprecedented scale. This raises a critical warning for other healthcare IT companies: even organizations with strong security certifications can be compromised if adversaries discover unpatched vulnerabilities or exploit human factors like credential compromise. The lesson for consumers is that no company’s security measures provide absolute protection, which is why credit monitoring and identity theft protection have become standard offerings in breach settlements.
Who Is Eligible to Claim in the Change Healthcare Class Action?
Any individual whose medical or financial information was included in the data stolen from Change Healthcare is potentially eligible to file a claim, though the actual scope of the class will be defined through the formal class certification process expected to occur during 2026. The class likely will include anyone who received healthcare services from a provider that used Change Healthcare’s systems for claims processing, insurance verification, or payment handling during the breach window. For instance, a patient who visited a hospital emergency room on February 15, 2024—six days before the breach was announced—would have had their information exposed if the hospital used Change Healthcare’s claims processing system.
Eligibility determinations may vary depending on whether the plaintiff can prove they were actually in the database at the time of the breach and whether they suffered compensable harm. The litigation framework includes five “pilot” bellwether trials scheduled to begin in late 2026 or early 2027, which will test legal theories about liability, damages calculation, and what constitutes compensable injury from a data breach. Some claimants will have suffered identity theft or fraud directly tied to the breach; others may only qualify based on the mere fact of exposure. This distinction matters because settlements and damages awards may be structured in tiers, with higher payouts for those who can document concrete financial losses or identity theft, and lower amounts for those with exposure alone.
What Are the Estimated Settlement Payouts?
Legal experts have projected that the Change Healthcare settlement could range from $1 billion to $5 billion, making it one of the largest healthcare data breach settlements in history. Individual payouts are estimated to fall between $100 and $5,000 or more, depending on several factors including the extent of documented harm, the number of class members who ultimately file claims, and how the court allocates settlement funds. A claimant who experienced identity theft resulting in fraudulent credit card charges might receive a payout at the higher end, while someone whose information was exposed but who suffered no documented injury might receive a lower amount or a nominal payment.
The comparison to other major healthcare settlements shows the scale involved: the Anthem Blue Cross breach of 2015, which affected 78.8 million individuals, eventually settled for $115 million, yielding average payments of approximately $1,200 per person (though many claims received far less). The Change Healthcare settlement, if it reaches the $2 billion to $5 billion range, would distribute significantly more per capita. However, a major tradeoff exists: settlements must be divided among hundreds of millions of eligible claimants, and proof-of-claim processes typically result in claim rates of 10 to 20 percent, meaning many eligible individuals never file. Additionally, a portion of settlement funds must be reserved for claim administration costs and plaintiff attorney fees, which can consume 25 to 40 percent of the total settlement amount.
What Harm Must You Prove to Recover Damages?
One of the central legal issues in the Change Healthcare litigation is whether plaintiffs must demonstrate actual financial injury or identity theft, or whether the mere exposure of sensitive information is sufficient grounds for compensation. The bellwether trials scheduled for late 2026 and early 2027 will test this question in real courtrooms, and the outcomes could significantly shape the final settlement structure. Some courts have held that data exposure alone—without proof of subsequent identity theft or fraud—does not create compensable injury, while others have recognized that the cost of credit monitoring and the risk of future fraud constitutes a real harm deserving compensation.
A critical warning for claimants is that documentation is essential. Those who can provide evidence of identity theft, fraudulent credit accounts, unauthorized charges, or false insurance claims will have much stronger claims than those relying solely on the fact that their data was in Change Healthcare’s database. If you were a victim of identity theft after February 21, 2024, gather copies of credit reports showing fraudulent accounts, documentation of disputed charges, and any communications with credit bureaus or law enforcement. The limitation of this approach is that proving causation—demonstrating that the specific identity theft resulted from the Change Healthcare breach rather than some other source—can be extremely difficult and may require expert analysis or circumstantial evidence.
How Does This Compare to Other Major Healthcare Data Breaches?
The Change Healthcare breach dwarfs previously major healthcare data breaches in scale and impact. The Anthem Blue Cross breach compromised 78.8 million records; the Equifax breach affected 147 million individuals but was primarily a credit reporting company rather than a direct healthcare provider. Change Healthcare’s breach of 192.7 million individuals is the largest data breach ever reported in United States history.
The operational impact was also more severe: while other breaches resulted in data theft, the Change Healthcare attack included a ransomware component that actually shut down systems and disrupted patient care, making this breach a systemic threat to the entire healthcare infrastructure. The uniqueness of Change Healthcare’s position as a clearinghouse processing half of all medical claims in the country meant that its disruption had nationwide consequences within days. Patients had treatment delayed, prescriptions unfilled, and insurance verification stalled because healthcare providers could not access the systems they depended on. This combination of massive data theft plus operational disruption creates legal exposure far exceeding typical healthcare breaches and justifies the projected settlement estimates in the $1 billion to $5 billion range.
What Is the Current Status and Timeline of the Litigation?
As of June 2026, the Change Healthcare litigation remains in the pretrial phase with no final settlement approved. The case was consolidated into the Minnesota federal district court in June 2024, and a scheduled settlement meeting occurred on January 30, 2025, but negotiations have not yet yielded a publicly announced final agreement. The litigation structure includes five bellwether trials set to begin in late 2026 or early 2027, which will serve as test cases to evaluate the strength of claims and damages calculations.
These trials will proceed ahead of the broader class and will inform settlement negotiations and final judicial approval. Looking forward, class certification is expected during 2026, which will formally establish the scope of the class and the eligibility criteria. The timeline suggests that a final settlement, if reached, could be approved sometime in 2026 or 2027, though complex healthcare litigation of this magnitude often extends years beyond initial projections. Claimants who believe they were affected should monitor the official litigation website and watch for notice of class certification and claim filing periods, as missing deadlines can result in permanent loss of claim rights.
Conclusion
The Change Healthcare data breach resulted in the largest confirmed data exposure in United States history, compromising 192.7 million individuals’ medical records, financial information, and personal identifiers. The ongoing class action litigation, consolidated in federal court in Minnesota, has resulted in 78 lawsuits and is expected to produce a settlement in the range of $1 billion to $5 billion, with individual payouts potentially ranging from $100 to $5,000 or more depending on documented harm. As of June 2026, litigation remains in the pretrial stage with bellwether trials scheduled for late 2026 or early 2027.
If you believe your information was affected by the Change Healthcare breach, document any identity theft or fraud that occurred after February 21, 2024, and watch for official notices regarding class certification and claim filing deadlines. Missing the claim period can permanently bar you from recovery, regardless of your eligibility. Consulting with an attorney experienced in data breach class actions can help you understand your specific rights and the strength of any claim you might have.