Breach Notification , HIPAA/HITECH , Security Operations

Change Healthcare Begins to Notify Clients Affected by Hack

The Company Will Start Notifying Individuals Affected by the Breach in Late July
Change Healthcare Begins to Notify Clients Affected by Hack
Change Healthcare, a unit of UnitedHealth Group's Optum, has begun to notify customers whose data was compromised in the company's February ransomware attack. (Image: Change Healthcare)

Change Healthcare says it has begun to notify customers whose data was compromised in a February ransomware attack that affected scores of healthcare providers, health insurance plans and other organizations.

See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience

The company will begin to notify affected individuals in late July, it said. Notices to affected customers started going out on Thursday.

A February ransomware attack against the medical billing intermediary, which handles about 6% of all U.S healthcare system payments, caused major disruptions for U.S. healthcare providers. The company, a subsidiary of UnitedHealth Group, paid a $22 million ransom to Russian-speaking ransomware group Alphv, aka BlackCat, after it stole about 6 terabytes of data (see: UnitedHealth Group Previews Massive Change Healthcare Breach).

Change Healthcare said it cannot confirm exactly what data has been affected for each individual involved, but information compromised by hackers included:

  • Contact information - such as first and last name, address, birthdate, phone number and email address;
  • Health insurance information - such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payer ID numbers;
  • Health information - such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment;
  • Billing, claims and payment information - such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due;
  • Other personal information, including Social Security numbers, driver's license or state ID numbers, and passport numbers. 

The company said individuals "should be on the lookout and regularly monitor the explanation of benefits statements received from their health plan and statements from health care providers, as well as bank and credit card statements, credit reports, and tax returns, to check for any unfamiliar activity."

Ransomware hackers obtained access to company data by using stolen credentials to access a company Citrix remote access service not protected by multifactor authentication.

United HealthGroup did not immediately respond to an inquiry about the number of customers being notified and the estimated number of individuals affected.

Company CEO Andrew Witty testified before two congressional committees last month and said that up to one-third of the U.S. population might be affected by the incident (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).

UnitedHealth Group in a statement to Information Security Media Group said Change Healthcare has completed a review of over 90% of the affected files and continues to see no evidence that materials such as doctors' charts or full medical histories were exfiltrated from its systems.

'Rolling' Notification

Regulatory attorney Sara Goldstein of the law firm BakerHostetler told ISMG that of the over 100 clients the firm is representing, only about 15% or so have received an update from Change Healthcare on the data review. "I anticipate that updates will be provided on a rolling basis," she said.

"Some customers were told that, to date, based on its ongoing data review, CHC has not found any of their PHI. This does not mean that they are 'out of the woods,' as the data review is still in progress," she said.

Other customers were told that their protected health information was affected, and the update from Change Healthcare constitutes notice of a breach, starting the 60-day clock for HIPAA notification to individuals, she said.

For customers that have PHI involved, Change Healthcare said it will provide notifications on their behalf, unless the customer opts out by July 8, she said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.