Change Healthcare publishes data breach notice

Change Healthcare published a substitute data breach notice on its website to inform affected individuals of the breach that resulted from the February 2024 cyberattack against the company. Change has publicly stated that the cyberattack involved the data of approximately one-third of Americans.

Change Healthcare said that it would begin mailing written letters to affected individuals on June 20, once it completed its data review. Additional customers may be identified as impacted as the review continues.

The company provided a brief timeline of events in its substitute notice, which was published on its website. Although the cyberattack began on February 21, it was not until March 13 that Change was able to obtain a dataset of exfiltrated files that was safe to investigate.

On April 22, Change confirmed that the impacted data “could cover a substantial proportion of people in America.”

Letters will be delivered to impacted individuals if Change Healthcare was able to find their addresses. Otherwise, the substitute notice posted on the company’s website informs customers more generally so they can provide information to their patients, even if they have not been identified as impacted.

Change Healthcare identified the following information as being involved in the breach, though it varies by individual:

• Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
• Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
• Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
• Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.

Any individual who believes that their information has been impacted by the data breach can enroll in two years of complimentary credit monitoring and identity theft protection services. Ahead of the breach notice, state attorneys general encouraged consumers to take advantage of these free resources.

At the time of publication, the HHS Office for Civil Rights had not yet posted the number of individuals impacted by the Change Healthcare data breach on its breach portal.