After completing an investigation into last February’s Change Healthcare data breach, the US Department of Health and Human Services confirmed yesterday that 100 million individuals were impacted. That makes it one of the largest breaches of medical and health data in US history, Reuters reports.
Change Healthcare, a UnitedHealth subsidiary and all-in-one health insurance technology provider that manages payments, claims processing and more, experienced a cyberattack by ransomware hacking group ALPHV, also known as “BlackCat.”
Impacted individuals are not limited to UnitedHealth policyholders. Change Healthcare, which works with many health insurance carriers, including Aetna, Anthem, Blue Cross Blue Shield and Cigna, has access to highly sensitive data of a massive quantity of users in the healthcare system.
Back in April, UnitedHealth said the data breach likely affected a “substantial proportion of people in America.” In May, UnitedHealth CEO Andrew Witty testified before Congress that the hacker group was able to obtain an employee’s login credentials. From there, the bad actors used the stolen credentials to log in to an application to remotely access desktops. The application didn’t have multifactor authentication enabled, Witty said.
During the same May hearing, Witty had warned that about one-third of Americans’ data may have been compromised in the cyberattack.
The attack disrupted medical services across the country, impacting medical claims processing, payment platforms and pharmacy network services.
What personal information was compromised?
While UnitedHealth can’t specify what data was compromised for each individual, a notice on its website said that the data could include Social Security and passport numbers, patient diagnoses, medical records, billing information and health insurance plan data.
UnitedHealth Group began notifying impacted individuals in July and has since sent notifications to 100 million people who were affected. If you received one of these notifications, your data might have been compromised. You can call 1-866-262-5342 for additional support.
If you didn’t receive a notification, be advised that Change Healthcare’s notice states: “Given the ongoing nature and complexity of the data review, agents will not be able to provide any specifics on individual data impacted at this time.”
What to do if your information was stolen in the Change Healthcare breach
Change Healthcare has a FAQ support page for people who may have been impacted by the breach. The company is offering IDX identity theft protection for up to two years. You can enroll on this page or call 1-888-846-4705 to sign up.
If the Change Healthcare breach impacted you, there are a number of other actions you should take to protect your identity:
✔️ Check your healthcare policy for any changes. If there are any errors or healthcare claims you don’t recognize, contact your health plan provider or your doctor’s office.
✔️ Check your credit reports. Review your credit reports regularly and look for unrecognized credit applications and new medical debt reports.
✔️ Monitor your bank accounts. The breach compromised billing and payment information, so monitor your credit and bank statements for suspicious activity.
✔️ Freeze your credit reports. Beyond just checking your credit reports, you might opt to freeze your credit reports with the three major credit bureaus, Equifax, Experian and Transunion. Putting a freeze on your credit prevents any new credit from being approved.
✔️ Sign up for identity theft services. After your two free years of IDX coverage expires, consider signing up for continued identity theft protection. These services can help monitor your bank and credit reports for you. They can also provide alerts when your data is found on the dark web as a result of future breaches. In the event your identity is stolen, identity theft services will provide insurance for any monetary expenses you might incur.