Change Healthcare (CHC), which provides services to health care providers, health insurance plans and other companies, is providing notice about the criminal cyberattack on Change Healthcare systems involving the protected health information (PHI) of a substantial proportion of people in America.

CHC has completed review of over 90% of the impacted files and continues to see no evidence that materials such as doctors’ charts or full medical histories were exfiltrated from its systems. Any individual concerned that their information may have been impacted by this incident can enroll in two years of complimentary credit monitoring and identity theft protection services, and CHC will pay for these services for two years, as previously announced.

On February 21, 2024, CHC became aware of deployment of ransomware in its computer system. Once discovered, CHC quickly took steps to stop the activity, disconnected and turned off systems to prevent further impact, began an investigation, and contacted law enforcement. CHC’s security team worked around the clock with several top security experts to address the matter and understand what happened. CHC has not identified evidence this incident spread beyond CHC.

CHC retained leading cybersecurity and data analysis experts to assist in the investigation, which began on February 21, 2024. On March 7, 2024, CHC was able to confirm that a substantial quantity of data had been exfiltrated from its environment between February 17, 2024, and February 20, 2024. On March 13, 2024, CHC obtained a dataset of exfiltrated files that was safe to investigate. On April 22, 2024, following analysis, CHC publicly confirmed the impacted data could cover a substantial proportion of people in America.

Although the data review is in its late stages and additional customers may be identified as impacted, CHC has identified certain customers whose members’ or patients’ data was involved in the incident. On June 20, 2024, CHC will begin providing notice to those customers. While CHC does not yet know the full extent of data impacted by individual and related covered entity customer, for purposes of individual notice, it is notifying those impacted customers it has identified so they can take action, providing a website URL that those customers can link to from their own websites to share with their potentially impacted individuals. That link is https://www.changehealthcare.com/hipaa-substitute-notice. The link can be used by any current and inactive customers of CHC who wish to proactively notify their individuals of the incident now while the data review remains ongoing and share how individuals can reach out to CHC if they have questions.

CHC is assuming responsibility for making individual notifications on behalf of those impacted customers which do not opt out of CHC’s notifications process, as outlined in the customer notice.

While CHC cannot confirm exactly what data has been affected for each impacted individual, the information involved may have included contact information (such as first and last name, address, date of birth, phone number, and email) and one or more of the following:

  • Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
  • Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
  • Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
  • Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.

Information that may have been involved was not the same for every impacted individual. Also, some of this information may have related to guarantors who paid bills for health care services.

While CHC is still investigating whose personal information may have been involved, there are some steps individuals can take to protect themselves:

  • Individuals should be on the lookout and regularly monitor the explanation of benefits statements received from their health plan and statements from health care providers, as well as bank and credit card statements, credit reports, and tax returns, to check for any unfamiliar activity.
  • If individuals notice any health care services they did not receive listed on an explanation of benefits statement, they should contact their health plan or doctor.
  • If individuals notice any suspicious activity on bank or credit card statements or on tax returns, they should immediately contact their financial institution and/or credit card company or relevant agency.
  • If an individual believes they are the victim of a crime, they can contact local law enforcement authorities and file a police report.

Privacy and security are top priorities. In response to this incident, CHC immediately took action to shut down systems and sever connectivity to prevent further impact. CHC has also reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future. CHC, along with leading external industry experts, continues to monitor the internet and dark web.

This media notice contains the information CHC can provide at this time while CHC continues working through the data review to identify affected individuals. CHC plans to send direct notice (written letters) at the conclusion of the data review, as required, to affected individuals identified for whom CHC has a sufficient address on behalf of those impacted customers that have not opted out of CHC’s notification process. Please note, CHC may not have sufficient addresses for all affected individuals. The mailing process is expected to begin in late July as CHC completes quality assurance procedures.

CHC regrets any inconvenience or concern caused by this incident. CHC is providing this notice now to help individuals understand what happened and remind them of information on steps they can take to help protect their privacy, including enrolling in two years of complimentary credit monitoring and identity theft protection services if they are concerned their information may have been impacted. Individuals can visit changecybersupport.com for more information and details on these resources or call the toll-free call center, which also includes trained clinicians to provide support services. The call center’s number is: 1-866-262-5342, available Monday through Friday, 8 a.m. to 8 p.m. CT.

Media Contact: newsroom@optum.com