Change Healthcare Confirms Types of Data Stolen in Ransomware Attack and Starts Issuing Notifications
Change Healthcare has confirmed the types of data compromised in its February ransomware attack and, four months after the ransomware attack was detected, has started notifying the affected covered entities; however, individual notifications will not start to be mailed until the end of July.
Change Healthcare said it started notifying the healthcare providers, health plans, and other organizations whose data was compromised in its February ransomware attack on Thursday, June 20, 2024. Change Healthcare has made significant progress in identifying the affected data; however, since the data review is only 90% complete, it is not yet possible to confirm exactly how many individuals have been affected or the types of information involved for each individual. Change Healthcare has not found evidence to suggest that doctorsโ charts or full medical histories were compromised in the attack.
The types of information involved vary from individual to individual and may include the following:
- Contact information such as first and last names, addresses, birthdates, email addresses and phone numbers
- Health information such as medical record numbers, provider names, diagnoses, medications, test results, medical images, and treatment information
- Health insurance information such as primary, secondary, and other health policies, insurance company names, member/group ID numbers, and Medicare/Medicaid numbers.
- Billing, claims, and payment information such as account numbers, claim numbers, billing and payment codes, payment card information, banking information, balances due, and payments made.
- Personal information including Social Security numbers, driverโs license numbers, passport numbers, and state ID card numbers.
The attack was conducted by an affiliate of the BlackCat/ALPHV ransomware group who claimed to have exfiltrated around 6GB of data. Change Healthcareโs parent company, UnitedHealth Group (UHG), paid a $22 million ransom; however, as part of an apparent exit scam, the operators took the ransom, did not delete the stolen data, and failed to pay the affiliate their percentage of the ransom payment. The affiliate then took the data to another ransomware group, RansomHub, which sought further payment from UHG.
Since individual notifications have not yet been sent, the affected individuals will be unaware that their data has been stolen; however, since UHG CEO Andrew Witty said the data of up to 1 in 3 Americans may have been compromised, as a precaution, all Americans should vigilant against identity theft and fraud. If they receive a notification letter confirming that their data has been compromised they should immediately take advantage of any credit monitoring and identity theft protection services offered.
For the affected covered entities, the deadline for issuing individual notifications is 60 days from the date they were notified about the attack by Change Healthcare. They must ensure that notifications are issued without undue delay and within that time frame and can delegate responsibility for issuing notifications to Change Healthcare. They should coordinate with Change Healthcare to ensure those notifications are sent within the allowed time frame. ย Change Healthcare said it will be issuing notifications on behalf of each affected covered entity unless they opt out by July 8, 2024.