Summary: Change Healthcare is notifying customers about a criminal cyberattack affecting PHI, offering two years of complimentary credit monitoring and identity theft protection to those potentially impacted.

Key Takeaways:

  • CHC has completed a review of over 90% of impacted files, finding no evidence of exfiltrated doctors’ charts or full medical histories.
  • Direct notices will be sent in late July to individuals identified as affected, with CHC covering the cost of credit monitoring and identity theft protection services.

Change Healthcare (CHC) is providing notice about a criminal cyberattack on its systems involving the protected health information (PHI) of a substantial proportion of Americans.

Review of Impacted Files

CHC has completed a review of over 90% of the impacted files and continues to see no evidence that materials such as doctors’ charts or full medical histories were exfiltrated. Individuals concerned that their information may have been impacted can enroll in two years of complimentary credit monitoring and identity theft protection services, which CHC will cover.

Discovery and Response

On February 21, 2024, CHC became aware of the ransomware deployment. CHC took steps to stop the activity, disconnected systems to prevent further impact, began an investigation, and contacted law enforcement. The security team worked with top security experts to address the matter and ensure it did not spread beyond CHC.

Although the data review is in its late stages, CHC has identified certain customers whose members’ or patients’ data was involved. On June 20, 2024, CHC began notifying those customers. While the full extent of data impacted is not yet known, CHC is notifying impacted customers so they can take action and share information with potentially affected individuals.

Individual Notifications

CHC is assuming responsibility for making individual notifications on behalf of impacted customers who do not opt out of CHC’s notifications process. The information involved may have included contact information, health insurance details, health information, billing, claims and payment information, and other personal information such as Social Security numbers and driver’s licenses.

CHC plans to send direct notices (written letters) to affected individuals for whom it has sufficient addresses, starting in late July, upon completion of quality assurance procedures.

CHC expressed regret for any inconvenience or concern caused by this incident and provided the notice to help individuals understand what happened. They reminded individuals of steps they can take to protect their privacy, including enrolling in two years of complimentary credit monitoring and identity theft protection services if concerned their information may have been impacted.