Millions of Americans Affected: Change Healthcare Reveals Data Stolen in Cyberattack

UnitedHealth has, for the first time, detailed the types of medical and patient data stolen in the extensive cyberattack on Change Healthcare (CHC). The company announced that CHC cyberattack notifications will be mailed in July to affected individuals.

“CHC plans to mail written letters at the conclusion of data review to affected individuals for whom CHC has a sufficient address. Please note, we may not have sufficient addresses for all affected individuals. The mailing process is expected to begin in late July as CHC completes quality assurance procedures,” reads the official statement by Change Healthcare.

UnitedHealth issued a data breach notification, revealing that the ransomware attack exposed a “substantial quantity of data” for a “substantial proportion of people in America.” During a congressional hearing, UnitedHealth CEO Andrew Witty estimated that “maybe a third” of all Americans’ health data was compromised in the attack.

Stolen Data Information in CHC Cyberattack

The Change Healthcare data breach notification provided a comprehensive overview of the types of information that may have been affected. Although CHC cannot confirm exactly what data was compromised for each individual, the exposed information may include:

1. Contact Information: Names, addresses, dates of birth, phone numbers, and email addresses.
2. Health Insurance Information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
3. Health Information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
4. Billing, Claims, and Payment Information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
5. Other Personal Information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

This information may vary for each impacted individual. To date, CHC has not seen full medical histories appear in their data review.

“The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review. Also, some of this information may have related to guarantors who paid bills for health care services. A guarantor is the person who paid the bill for health care services,” the official statement reads further.

Cyberattack on Change Healthcare: What Exactly Happen?

The Change Healthcare cyberattack occurred when a cybercriminal gained unauthorized access to the CHC computer system on February 21, 2024. Upon discovering the ransomware deployment, CHC immediately took steps to halt the activity, disconnected and shut down systems to prevent further impact and initiated an investigation. Law enforcement was contacted, and CHC’s security team, along with several top cybersecurity experts, worked tirelessly to address the breach and understand its scope.

The investigation revealed that a significant amount of data was exfiltrated from CHC’s environment between February 17, 2024, and February 20, 2024.

By March 7, 2024, CHC confirmed the data exfiltration and began analyzing the compromised files.

On April 22, 2024, CHC publicly confirmed that the impacted data could affect a substantial proportion of the American population.

As of June 20, 2024, CHC began notifying customers whose data was identified as compromised.

When CHC learned about the activity, CHC immediately began an investigation with support from leading cybersecurity experts and law enforcement. In response to this incident, CHC immediately took action to shut down systems and sever connectivity to prevent further impact,” informed Change Healthcare official release

“CHC has also reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future. CHC, along with leading external industry experts, continues to monitor the internet and dark web.

What Steps Affected Individuals Can Take

While the investigation continues, individuals who suspect their information may have been compromised can take several steps to protect themselves:

1. Enroll in Credit Monitoring and Identity Protection: CHC is offering two years of complimentary credit monitoring and identity protection services.
2. Monitor Statements and Reports: Regularly check explanations of benefits from health plans, statements from healthcare providers, bank and credit card statements, credit reports, and tax returns for any unfamiliar activity.
3. Report Unfamiliar Health Services: If any unauthorized healthcare services are found on an explanation of the benefits statement, contact the health plan or doctor.
4. Alert Financial Institutions: Immediately contact financial institutions or credit card companies if suspicious activity is detected on bank or credit card statements or tax returns.
5. File a Police Report: Contact local law enforcement if you believe you are a victim of a crime.

Individuals may also have additional rights depending on their state of residence and should refer to the provided Reference Guide for more information.

The ransomware attack on CHC has highlighted significant vulnerabilities in the handling of sensitive health and personal information. As the investigation progresses, affected individuals are urged to stay vigilant and utilize the resources provided to mitigate potential risks.