Change Healthcare Provides HIPAA Media Notice Regarding Cyberattack
June 20 2024 - 5:00PM
Business Wire
Change Healthcare (CHC), which provides services to health care
providers, health insurance plans and other companies, is providing
notice about the criminal cyberattack on Change Healthcare systems
involving the protected health information (PHI) of a substantial
proportion of people in America.
CHC has completed review of over 90% of the impacted files and
continues to see no evidence that materials such as doctors’ charts
or full medical histories were exfiltrated from its systems. Any
individual concerned that their information may have been impacted
by this incident can enroll in two years of complimentary credit
monitoring and identity theft protection services, and CHC will pay
for these services for two years, as previously announced.
On February 21, 2024, CHC became aware of deployment of
ransomware in its computer system. Once discovered, CHC quickly
took steps to stop the activity, disconnected and turned off
systems to prevent further impact, began an investigation, and
contacted law enforcement. CHC’s security team worked around the
clock with several top security experts to address the matter and
understand what happened. CHC has not identified evidence this
incident spread beyond CHC.
CHC retained leading cybersecurity and data analysis experts to
assist in the investigation, which began on February 21,
2024. On March 7, 2024, CHC was able to confirm that a
substantial quantity of data had been exfiltrated from its
environment between February 17, 2024, and February 20, 2024. On
March 13, 2024, CHC obtained a dataset of exfiltrated files that
was safe to investigate. On April 22, 2024, following analysis, CHC
publicly confirmed the impacted data could cover a substantial
proportion of people in America.
Although the data review is in its late stages and additional
customers may be identified as impacted, CHC has identified certain
customers whose members’ or patients’ data was involved in the
incident. On June 20, 2024, CHC will begin providing notice to
those customers. While CHC does not yet know the full extent of
data impacted by individual and related covered entity customer,
for purposes of individual notice, it is notifying those impacted
customers it has identified so they can take action, providing a
website URL that those customers can link to from their own
websites to share with their potentially impacted individuals. That
link is https://www.changehealthcare.com/hipaa-substitute-notice.
The link can be used by any current and inactive customers of CHC
who wish to proactively notify their individuals of the incident
now while the data review remains ongoing and share how individuals
can reach out to CHC if they have questions.
CHC is assuming responsibility for making individual
notifications on behalf of those impacted customers which do not
opt out of CHC’s notifications process, as outlined in the customer
notice.
While CHC cannot confirm exactly what data has been affected for
each impacted individual, the information involved may have
included contact information (such as first and last name, address,
date of birth, phone number, and email) and one or more of the
following:
- Health insurance information (such as primary, secondary or
other health plans/policies, insurance companies, member/group ID
numbers, and Medicaid-Medicare-government payor ID numbers);
- Health information (such as medical record numbers, providers,
diagnoses, medicines, test results, images, care and
treatment);
- Billing, claims and payment information (such as claim numbers,
account numbers, billing codes, payment cards, financial and
banking information, payments made, and balance due); and/or
- Other personal information such as Social Security numbers,
driver’s licenses or state ID numbers, or passport numbers.
Information that may have been involved was not the same for
every impacted individual. Also, some of this information may have
related to guarantors who paid bills for health care services.
While CHC is still investigating whose personal information may
have been involved, there are some steps individuals can take to
protect themselves:
- Individuals should be on the lookout and regularly monitor the
explanation of benefits statements received from their health plan
and statements from health care providers, as well as bank and
credit card statements, credit reports, and tax returns, to check
for any unfamiliar activity.
- If individuals notice any health care services they did not
receive listed on an explanation of benefits statement, they should
contact their health plan or doctor.
- If individuals notice any suspicious activity on bank or credit
card statements or on tax returns, they should immediately contact
their financial institution and/or credit card company or relevant
agency.
- If an individual believes they are the victim of a crime, they
can contact local law enforcement authorities and file a police
report.
Privacy and security are top priorities. In response to this
incident, CHC immediately took action to shut down systems and
sever connectivity to prevent further impact. CHC has also
reinforced its policies and practices and implemented additional
safeguards in an effort to prevent similar incidents from occurring
in the future. CHC, along with leading external industry experts,
continues to monitor the internet and dark web.
This media notice contains the information CHC can provide at
this time while CHC continues working through the data review to
identify affected individuals. CHC plans to send direct notice
(written letters) at the conclusion of the data review, as
required, to affected individuals identified for whom CHC has a
sufficient address on behalf of those impacted customers that have
not opted out of CHC’s notification process. Please note, CHC may
not have sufficient addresses for all affected individuals. The
mailing process is expected to begin in late July as CHC completes
quality assurance procedures.
CHC regrets any inconvenience or concern caused by this
incident. CHC is providing this notice now to help individuals
understand what happened and remind them of information on steps
they can take to help protect their privacy, including enrolling in
two years of complimentary credit monitoring and identity theft
protection services if they are concerned their information may
have been impacted. Individuals can visit changecybersupport.com
for more information and details on these resources or call the
toll-free call center, which also includes trained clinicians to
provide support services. The call center’s number is:
1-866-262-5342, available Monday through Friday, 8 a.m. to 8 p.m.
CT.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240620726809/en/
Media Contact: newsroom@optum.com