UnitedHealth's Change Healthcare unit begins sending breach notices
The notices could be to a "substantial proportion of people in America," who may have been affected by its massive ransomware attack on Feb. 21.
UnitedHealth’s Change Healthcare subsidiary said Thursday that it has started notifying people who may have been affected by a massive ransomware attack that hit its information systems Feb. 21.
In April, Change suggested that the attack may have affected “a substantial proportion of people in America.”
Change did not provide a new estimate for how many people will be on the breach notice list, but it has “identified certain customers whose members’ or patients’ data was involved in the incident,” according to an official attack notice posted Thursday.
Change expects to start mailing paper notices to the people affected in late July.
UnitedHealth acquired Change, a large information clearinghouse for medical, insurance and prescription information, in 2022. Because Change provided information services for so many health care system players, the attack ended up crippling operations at many hospitals and physician practices for weeks.
Although Change “does not yet know the full extent of data impacted by individual and related covered entity customer, for purposes of individual notice, it is notifying those impacted customers it has identified so they can take action,” the company said.
Related: HHS office explains UnitedHealth data breach notice responsibility
For some customers, the records stolen may have included Social Security numbers, driver’s license numbers and passport ID numbers.
Change “continues to see no evidence that materials such as doctors’ charts or full medical histories were exfiltrated from its systems,” the company said.
The company is offering to pay for two years of credit monitoring and identity theft protection services from IDX for people affected by the attack.
Sen. Marsha Blackburn, R-Tenn., and Sen Maggie Hassan, D-N.H., note that they asked UnitedHealth CEO Andrew Witty earlier this month to provide breach notices by June 21, and that Witty had testified at a House hearing May 1 that the breach may have exposed the data of about one-third of all Americans.
Blackburn and Hassan said they are glad that the company has now posted a breach notice.
But the company “should have done this months ago,” the senators said.