Breach Notification , Fraud Management & Cybercrime , Healthcare
Change Healthcare Begins to Notify Millions Affected by Hack
IT Services Vendor Is Sending Individual Letters to Victims on a Rolling BasisMillions of Americans will soon receive a breach notification letter from Change Healthcare, which said on Monday that it has started the process of notifying victims of the massive cyberattack and data theft first detected more than five months ago.
See Also: Gartner Guide for Digital Forensics and Incident Response
The company in an updated frequently asked questions section about the cyber incident posted on its website on Monday said it does not have a date when specific sets of individuals will receive notifications but that the mailing began on July 29.
"Change Healthcare is committed to notifying potentially impacted individuals as quickly as possible, given the volume and complexity of the data involved. Please note, we may not have sufficient addresses for all affected individuals," the company said.
On Tuesday, the U.S. Department of Health and Human Services' Office for Civil Rights posted Change Healthcare's breach report to the agency's HIPAA Breach Reporting Tool website, saying the company's report was filed on July 19 as a hacking incident affecting 500 individuals.*
"Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare amends the total number of individuals affected by this breach," HHS OCR said in a statement. "HIPAA breach reports filed on the HHS Breach Portal may be amended as the breach report form allows a filer to file an initial breach report or an addendum to a previous report," HHS OCR said.
"The data review is in its final stages, but we have analyzed a sufficient amount of data to start notifying," a Change Healthcare spokesman told Information Security Media Group. "Change Healthcare is committed to notifying potentially impacted individuals as quickly as possible given the volume and complexity of the data involved."
"Rather than waiting until the end of our data review, Change Healthcare is continuing to offer free credit monitoring and identity theft protection to anyone concerned their data may have been impacted."
On June 20, Change Healthcare posted a substitute HIPAA breach notice on its website for organizations and individuals affected by the hacking incident, saying that it expected to send written notifications in late July. Change Healthcare last month began notifying clients whose data was affected in the incident (see: Change Healthcare Begins to Notify Clients Affected by Hack).
Change Healthcare on Monday advised affected clients to prominently post the company's substitute HIPAA breach notice on the home page of their websites for at least 90 consecutive days. "This substitute notice contains the information Change Healthcare can provide at this time while Change Healthcare is in its late stages of data review to identify affected individuals."
Historic Breach
Five months have passed since the massive Feb. 21 cyberattack on Change Healthcare shut down more than 100 IT services for weeks, disrupting business and clinical processes of thousands of doctors, pharmacies and medical practices.
Russian-speaking ransomware cybercriminals BlackCat, aka AlphV, claimed responsibility for the attack, and the company admits that it paid the attackers a $22 million ransom. BlackCat claimed on the dark web to have stolen 4 terabytes of patient data (see: A Second Gang Shakes Down UnitedHealth Group for Ransom).
Change Healthcare has offered to handle breach notification for clients affected by the incident, so it is unclear how many individuals breach reports will be filed to HHS OCR related to the incident.
HHS OCR previously issued updated guidance regarding the Change Healthcare incident and breach reporting (see: Feds Say Change Healthcare Can Handle Breach Notification).
UHG CEO Andrew Witty testified in May to two congressional committees that the incident was estimated to have affected the protected health information of up to one-third of the American population - or more than 100 million people (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).
In an unusual move, HHS OCR in March announced that it was already investigating the Change Healthcare data breach and the HIPAA compliance of Change Healthcare and its parent company, UnitedHealth Group (see: Feds Launch Investigation Into Change Healthcare Attack).
Typically, HHS OCR does not begin a breach investigation until a HIPAA breach or complaint has been filed. HHS OCR Director Melanie Fontes Rainer during an ISMG Healthcare Cybersecurity Summit fireside chat in New York on July 18 told attendees that the historic nature of the Change Healthcare cyberattack warranted the agency's earlier regulatory action. The incident by far is expected to result in the nation's largest health data breach notification event to date.
Change Healthcare on its website said that while the company’s data analysis is ongoing, affected information involved may include information such as name, address, birthdate, phone number and email, and health insurance information such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
Also affected was health information, such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment, billing, and claims and payment information, such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made and balance due.
Other personal information - such as Social Security numbers, driver's licenses or state ID numbers, or passport numbers - is also potentially affected. Not all individuals have the same variety of information compromised, the company said.
Update on July 30, 2024 UTC 21:29 to reflect Change Healthcare's breach report being posted to HHS OCR's breach reporting website.