State AGs urge consumers to use free credit monitoring from Change Healthcare

State attorneys general from Massachusetts, California, New York, Connecticut and several other states issued consumer alerts urging state residents to enroll in free credit monitoring and identity theft protection services if they believe they were impacted by the Change Healthcare cyberattack.

Change Healthcare estimated that approximately one-third of Americans were affected by the February 2024 cyberattack, which also disrupted operations at hospitals, pharmacies and independent practices nationwide.

UnitedHealth Group (UHG), which runs Change Healthcare, stated in late June that it had begun notifying affected entities of the data breach and would begin mailing breach notifications to individual cyberattack victims in late July on behalf of those entities.

The affected information varied by individual but may have included contact information, health insurance information, billing and claims information, medical record numbers, diagnoses, test results, Social Security numbers, and other personal information.

“Given the delay between the data breach and notification to those impacted, the Massachusetts Attorney General’s Office is publicizing not just the breach, but also resources, including the offer that Change Healthcare has provided to the public,” the Massachusetts Attorney General’s Office stated.

Since the number of affected individuals is not yet known, the Massachusetts attorney general encouraged all Massachusetts residents who believe they may have been impacted to take advantage of Change Healthcare’s offer of two free years of credit monitoring and identity theft protection services.

In Connecticut, Attorney General William Tong issued a similar notice.

“The Change Healthcare breach was one of the most significant breaches we have seen – impacting the entire healthcare delivery system, hospitals, providers, and patients alike. Nearly five months later, Change Healthcare has yet to provide necessary notice to impacted consumers,” Tong stated.

“Connecticut consumers cannot wait any longer to take protective steps. I strongly urge any Connecticut residents who may have been impacted to immediately take advantage of free credit monitoring and identity theft protections. I will continue to press for notice – individuals have a right to know if they have been impacted, how they were impacted, and what they can do.”

Several states issued similar consumer alerts to residents, encouraging them to use the free resources. Additionally, the state attorneys general urged consumers to be aware of potential warning signs that someone has used their medical information, such as a bill for medical services they did not receive or a call from a debt collector about medical debt they do not owe.

The state attorneys general also encouraged consumers to freeze their credit with the three major credit bureaus if they would prefer not to use Change Healthcare’s free services.

Meanwhile, Change Healthcare is gearing up to formally notify consumers of the data breach in July. The HHS Office for Civil Rights (OCR) confirmed that covered entities impacted by the cyberattack may delegate breach notification responsibilities to Change Healthcare.