Change Healthcare breach notices to be sent to 110 million affected

Change Healthcare has published a substitute data breach notice stating that notifications will be sent out to affected entities and individuals on July 20th.

What happened

Change Healthcare recently updated its website with a breach notice regarding a cyberattack that occurred in February 2024. The company will begin mailing notification letters to affected individuals on July 20, 2024. The data review is nearly complete, though more individuals may still be identified as affected.

The backstory

On June 20, Change Healthcare released a notice of a data breach, revealing important details regarding the cyberattack while also revealing new information regarding what data was impacted. Change Healthcare also confirmed that they had begun notifying affected entities and will begin sending breach notifications to individual victims in late July. 

Go deeper: Change Healthcare begins sending breach notification

Going deeper

Key points from the notice include:

• Breach timeline: The breach was detected on February 21, 2024. Hackers had access to Change Healthcare's systems between February 17 and February 20, 2024. It was confirmed on March 7, 2024, that significant data had been exfiltrated. The analysis began on March 13, 2024, after obtaining a safe copy of the data.
• Affected individuals: The total number of affected individuals is not yet announced but could be as high as 110 million, potentially affecting 1 in 3 Americans.
• Exposed information: The exposed data includes health insurance information, health information, billing and payment information, and personal information such as Social Security numbers and driver’s license numbers.
• Protective actions: Affected individuals are advised to protect themselves by monitoring their benefits statements, and financial accounts, and reporting any irregularities or unauthorized charges. Change Healthcare is offering two years of free credit monitoring and identity theft protection services.
• Cybercriminal involvement: The data was stolen by an affiliate of the BlackCat ransomware group and is also claimed to be in possession of the RansomHub ransomware group.
• Further assistance: Individuals can get more information and assistance by visiting changecybersupport.com or calling 1-866-262-5342. Additionally, state attorneys general are urging residents to sign up for the credit monitoring services provided.
  
  

What they’re saying

According to Change Healthcare (CHC), the notice was released to “provide customers and individuals with information about the criminal cyberattack on CHC systems and to share resources available to people who believe their personal data potentially being impacted.” They further mentioned that they are nearing the completion of their review of individual details, which might have been affected by the incident. “CHC is providing this notice now to help individuals understand what happened, let them know that their information may have been impacted, and give them information on steps they can take to protect their privacy, including enrolling in two years of complimentary credit monitoring and identity theft protection services if they believe that their information may have been impacted.”

See also: HIPAA Compliant Email: The Definitive Guide

Why it matters

HIPAA's Breach Notification Rule mandates covered entities and their business associates to notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media when there is a breach of unsecured protected health information (PHI). This rule aims to protect patients' privacy and ensure they are informed about potential risks to their personal and health information. CHC’s notification to affected entities and individuals is a demonstration of its compliance with these regulations, reflecting its commitment to transparency and accountability.

Learn more: Navigating HIPAA’s Breach Notification Rule

FAQs

What is a data breach?

A data breach occurs when unauthorized individuals gain access to sensitive, protected, or confidential data, often resulting in the exposure or theft of this information. This can include personal information, financial data, health records, and more.

What types of information are commonly targeted in data breaches?

Commonly targeted information includes:

• Personally identifiable information (PII) such as names, Social Security numbers, addresses, and dates of birth
• Financial information such as credit card numbers, bank account details, and payment information
• Health information, including medical records, insurance details, and treatment histories
• Login credentials, like usernames and passwords

What are the potential consequences of a data breach for individuals?

Individuals affected by a data breach may face:

• Identity theft
• Financial fraud
• Unauthorized charges on credit cards
• Unauthorized access to accounts
• Loss of privacy
• Emotional distress