UnitedHealth Group has begun notifying impacted entities of the Change Healthcare data breach and revealing what information was stolen.
What happened
Change Healthcare recently released a notice of a data breach online. The notice compiles some of the most salient information regarding the violation and reveals new information regarding what data was impacted.
The organization confirmed they began notifying impacted entities on June 20th. Change Healthcare also said it will begin mailing breach notifications to individual victims in late July.
The notice comes amid controversy regarding who would be responsible for the massive amount of breach notifications needing to be mailed. In April, Change had stated they would bear the administrative burden of sending notices, but some organizations were concerned about follow-through.
It’s estimated that nearly 30% of Americans' data was impacted by the event. According to the Medical Group Management Association, approximately 15,000 medical group practices were affected. Ultimately, the OCR determined that impacted organizations could delegate this duty to Change.
What’s new
To relieve overwhelmed hospitals and healthcare providers, Change has made good on the agreement and is now sending out notices to all impacted entities nearly four months after the breach occurred.
According to one report, Change has completed a review of over 90% of impacted files, a sufficient amount to begin notifications. While HIPAA regulations require entities to send written notice within 60 days, it’s common for companies to delay notifications while an investigation is underway.
Due to the extensive nature of the breach, it is evident why the investigation was time-consuming. On top of this, Change said that it only recently obtained a dataset safe to analyze.
Going deeper
In Change’s latest notice, they provided information on what data was impacted. Their investigation determined that contact information (names, addresses, dates of birth, phone numbers, and email) may have been stolen alongside:
- Health insurance information like health plans, member/group ID, and Medicaid-Medicare-government payor information,
- Health information like records, providers, and diagnoses,
- Billing, claims, and payment information,
- Other personal information such as Social Security numbers, driver’s license or state ID numbers, and passport numbers.
Change is also committed to providing written letters to individuals by the end of July. The organization noted that there were likely to be many individuals without an address on file.
The big picture
As Change begins the process of notifying individuals, the extent of the breach will likely become clearer–especially to patients and providers.
As individuals begin seeing notices, there will likely be more controversy regarding the incident and its handling. When the breach occurred, nearly 50 lawsuits were brought against the company. Change hopes to consolidate many of these lawsuits and centralize them in Tennessee, the company’s headquarters.
While the worst of the incident appears to be over, with a breach this large, there are likely to be more developments in the near future.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
