Substitute Data Breach Notice Published by Change Healthcare

by | Jul 13, 2024

A substitute breach notice has been published on the Change Healthcare website regarding its February 2024 cyberattack and mentioned the start of sending notification letters to the impacted persons on July 20, 2024.  Change Healthcare stated that the data analysis is about to be completed; however, more affected individuals could still be discovered.

In the breach notice, Change Healthcare details the following information about the breach:

  • it was discovered on February 21, 2024
  • hackers acquired access to its internal network from February 17 to February 20, 2024
  • on March 7, 2024, Change Healthcare reported the massive exfiltration of data from its network
  • data analysis was started only on March 13, 2024, when Change Healthcare got a safe copy of the information to assess
  • the preliminary analysis showed that a big percentage of people in the U.S. were impacted, possibly 1 in 3
  • Americans, which means the total number of people affected may reach over 110 million.

The types of data compromised or stolen differ from person to person and may consist of a few or all of the listed below. In certain cases, the data of guarantors was likewise exposed.

  • Medical insurance details (including primary, secondary, or other insurance policies/health plans, member/group ID numbers, insurance providers, and Medicaid-Medicare-government payor ID numbers);
  • Health data (including medical record numbers, healthcare providers, diagnoses, prescription drugs, lab test results, photos, care and treatment notes);
  • Billing, claims, and payment details (including account numbers, claim numbers, billing codes, financial and banking details, payment cards, amounts paid, and balance due); and/or
  • Other personal data like driver’s license numbers, Social Security numbers, state ID numbers, or passport numbers.

The notice shares a few measures that the impacted persons can take to safeguard themselves against the improper use of their data. More information is available at changecybersupport.com or call the toll-free number – 1-866-262-5342 from Monday to Friday, 8 a.m. – 8 p.m. CT.

Change Healthcare has been providing free identity theft protection and credit monitoring services to the impacted persons for two years, although it is not required for HIPAA certification. An affiliate of the BlackCat ransomware group was behind the attack and likely kept a copy of the stolen data. The defunct BlackCat ransomware group operator likely kept a copy as well. The RansomHub ransomware group also claimed to have a copy of the stolen data. Considering the gravity of this security incident, all affected individuals should sign up for the free credit monitoring and identity theft services right away and get help from http://changecybersupport.com or call (888) 846-4705.

Several state attorneys general have released breach notifications and urged state residents to avail of the services immediately to safeguard themselves against identity theft and fraud. Other precautionary measures that all Americans should undertake include:

  • Keep track of explanation of benefits statements provided by health plans and file a report in case of any problems
  • Review financial accounts and credit card statements and promptly report any unauthorized transactions
  • Report any criminal offenses to local regulatory authorities and submit a police report
  • Watch out for these signs of prospective fraud:

Refusal of insurance coverage because of wrong pre-existing conditions
Notices from medical insurance companies about reaching the benefit limit
Charges for healthcare services that were not received
Notices from debt collection firms regarding debts that do not belong to them
Notices of medical debt collection for services that were not received

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy