Change Healthcare Starts Mailing Individual Notification Letters About Ransomware Attack
Change Healthcare has published a substitute breach notice and has started mailing notification letters to the affected individuals but has yet to confirm exactly how many individuals have been affected. The attack may have affected up to 1 in 3 Americans โ potentially more than 110 million individuals. The affected providers and insurers were notified about the attack in late June,ย and most are expected to delegate responsibility for issuing notifications to Change Healthcare.
The substitute breach notice explains that as a vendor to healthcare providers and health insurance plans, Change Healthcare is provided with certain information that is protected under HIPAA. On February 21, 2024, a security incident was identified when ransomware was installed on its systems. After securing its systems to prevent further unauthorized access, Change Healthcare has been working on restoring its systems, investigating the incident, and determining what data may have been accessed or obtained in the attack.
On March 7, 2024, Change Healthcare confirmed that a threat actor had obtained a substantial amount of data between February 17, 2024, and February 20, 2024, although it was not safe to obtain a copy of that data to investigate further until March 13, 2024. Change Healthcare has now confirmed that the following information was present in that data set:
- Contact information including name, address, phone number, and email address
- Personal information such as date of birth, Social Security number, driverโs license number/government ID number, or passport number
- Health information such as medical record number, provider name(s), diagnosis, medicines, test results, images, care and treatment information
- Health insurance information such as primary, secondary, or other health plan/policy information, insurer, member/group ID number, and Medicaid/Medicare ID number
- Billing, claims, and payment information including claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due)
Change Healthcare has taken several steps to improve security, including reinforcing policies and procedures, adding additional safeguards, and working with third-party cybersecurity experts to monitor the internet and dark web for exposed data. A helpline – 1-866-262-5342 – and web page have been set up for individuals to find out more information, and Change Healthcare has offered the affected individuals complimentary credit monitoring and identity theft protection services, which can be accessed now by visiting the above website.
This was a ransomware attack with confirmed data theft, so it is important to sign up for the identity theft protection services being offered. State attorneys general have responded to the publication of the notice by urging state residents to take advantage of the services and resources being offered.
โThe disastrous cyberattack on Change Healthcare leaked the personal information of millions of Americans and made them vulnerable to bad actors,โ saidย New York Attorney General Letitia James. โWhile UnitedHealth and its subsidiary work to address the fallout from the cyberattack, I urge everyone who believes their information may have been compromised to use the free credit monitoring and identity theft protection services to protect themselves.
Attack Likely to Cost UnitedHealth Group $2.3 Billion in 2024
Change Healthcareโs parent company, UnitedHealth Group, released its second-quarter earnings report that shows there was robust growth in the second quarter of 2024 with revenues increasing significantly, although profits have taken a hit due to the ransomware attack on Change Healthcare. In Q2, 2023, profits were $5.4 billion, whereas in Q2, 2024 they fell to $4.2 billion. The fall in profits is largely due to the ransomware attack on Change Healthcare. The total cost of the cyberattack is predicted to be around $1 billion more than previously predicted and is expected to be between $2.3 billion and $2.45 billion in 2024.
Healthcare Providers Take Legal Action to Recover Losses
Several lawsuits have already been filed against Change Healthcare and UnitedHealth Group over the attack and data breach. The lawsuits all make similar claims – Change Healthcare and UnitedHealth Group were negligent by failing to implement reasonable and appropriate safeguards and had those safeguards been implemented, the attack and data breach could have been prevented.
One of the latest lawsuits was filed by the National Community Pharmacists Association (NCPA) which lists 40 healthcare providers as named plaintiffs. The lawsuit is seeking reimbursement of losses incurred by providers as a result of the attack and prolonged outage and seeks an order from the court requiring Change Healthcare to implement a range of safeguards to prevent similar breaches in the future.