Change Healthcare begins data breach notification process

UnitedHealth Group (UHG) has begun notifying affected entities of the Change Healthcare data breach and will begin mailing breach notifications to individual cyberattack victims in late July, the company stated in a June 20 media notice.

Change said it has completed a review of over 90% of impacted files and continues to see no evidence that full medical histories were exfiltrated from its systems during the cyberattack. Change explained that it only recently obtained a dataset that was safe to analyze, as its own systems were difficult to access during recovery.

Even though the data review is not yet complete, Change has begun notifying the customers it has identified as impacted as of June 20 so they can proactively respond.

As previously reported, the HHS Office for Civil Rights (OCR) affirmed that covered entities impacted by the Change Healthcare cyberattack may delegate breach notification responsibilities to Change Healthcare.

“Only one entity—which could be the covered entity itself or its business associate—needs to complete notifications to affected individuals, the HHS Secretary, and where applicable the media,” OCR said.

Change Healthcare’s latest update further confirmed that the company will make HIPAA and state attorney general notifications on behalf of victim entities unless those entities decide to opt out and handle the notifications themselves.

The affected information varied by individual but may have included contact information, health insurance information, billing and claims information, medical record numbers, diagnoses, test results, Social Security numbers, and other personal information.

Change offered two years of complimentary credit monitoring and identity theft protection services to victims and said that it reinforced its security and privacy policies in light of the incident.