Breach Confirmed! Change Healthcare Cyber Event to Impact Millions

Change Healthcare (CHC), owned by healthcare giant UnitedHealth Group, has confirmed that patient data was exfiltrated from their environment after all - a stunning reveal that will impact millions of patient records.

“Who is Change Healthcare and why should I care?”

Change Healthcare (CHC) (formerly Emdeon) is the largest healthcare payment processor in the United States. They process 15 billion health care transactions annually and touch 1 in every 3 patient records, according to the AHA. Basically, when you go to the doctor, pharmacy, hospital, dentist, or other healthcare facility and use your insurance, a coupon, or government benefits Change Healthcare is probably the one handling the transaction behind the scenes. 

More on Change Healthcare

“I thought they said it was just ransomware?”

UnitedHealth Group owned Change Healthcare (CHC) recently updated their investigation bulletin stating that their ransomware event was also a data breach.  They have not yet determined which patients or customers were included in that stolen data. This means patient data was copied out of CHC systems into unauthorized hacker systems (If your company uses CHC, consider discussing this development with your HIPAA officers and legal counsel). At the moment, whether or not your data was included may be unknown since as CHC states in their bulletin, "CHC is still investigating whose personal information may have been involved.” The United Healthcare Group states, “If you know your Change Healthcare account representative, contact them directly for information specific to your account.”

“... On March 7, 2024, CHC was able to confirm that a substantial quantity of data had been exfiltrated from its environment between February 17, 2024, and February 20, 2024. On March 13, 2024, CHC obtained a dataset of exfiltrated files that was safe to investigate. On April 22, 2024, following analysis, CHC publicly confirmed the impacted data could cover a substantial proportion of people in America.” (Excerpt from the bulletin, underlining added post)

Your HIPAA Officers or legal counsel may mention sending out "be on alert" notices to patients as a precaution.

AGs have sent information such as the following:

• For information visit Change Healthcare Consumer support page - UnitedHealth Group.

• To enroll in credit monitoring provided by CHC Change Healthcare Consumer support page, or call UnitedHealth Group at 1-888-846-4705 or Change Healthcare at 1-866-262-5342.

• Be on the lookout for evidence of your data being stolen and used by criminals. Signs include:

• Being denied insurance coverage because of a pre-existing condition you do not have.

• Unexpected bills from doctors offices for services you did not receive.

• Unexpected entries in your Explanation of Benefits (EoB) statements for services you’ve never received or prescription medications you do not take.

• Unexpected  notices from insurance companies indicating you have reached your benefit limit.

• Unexpected call from a debt collector.

• Unexpected medical debt collection notices on your credit report.

There is a lot more to the story which we encourage you to check out and monitor as the news updates coverage of the story!