UnitedHealth Group’s Change Healthcare unit has uploaded a substitute data breach notice to its website about its February 2024 cyberattack and assured that affected individuals will start receiving emails of notification letters from July 20, 2024.
Change Healthcare, in its notice published this week, said the data review is in the late stages; however, it is possible that further individuals may still be identified as having been affected.
Change Healthcare Data Breach: Background and Context
The company has provided a detailed timeline of data leak events in its substitute notice. Change Healthcare explains that the intrusion was discovered on February 21, 2024. Hackers were able to access internal systems between February 17 and 20.
By March 7, Change Healthcare confirmed a significant amount of data was stolen from its network. Analysis of the stolen data was delayed until March 13, 2024, when Change Healthcare was able to secure a soft copy for review.
Initial investigations revealed that a substantial number of individuals in the United States were impacted. The total number affected has not been officially released but estimates suggest it could be as high as 1 in 3 Americans, potentially exceeding 110 million people.
The type of information exposed or stolen varies depending on the individual and may include some or all of the following:
- Health insurance details (like primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers)
- Health information (including medical record numbers, providers, diagnoses, medications, test results, images, care and treatment details)
- Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due)
- Additional personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers
In certain instances, guarantor information was also compromised. The notice outlines steps affected individuals can take to safeguard themselves from potential misuse of their information.
Change Healthcare Offers Mandatory Mitigation Services
Change Healthcare is providing complimentary credit monitoring and identity theft protection services to affected individuals for a two-year period. The stolen data was obtained by an affiliate of the BlackCat ransomware group, who remain in possession of a copy.
Additionally, the operators of the now-defunct BlackCat ransomware group may also have a copy, and the RansomHub ransomware group has claimed to have acquired the data.
Since credit monitoring services are now available, and considering the possibility that 1 in 3 Americans may be affected, it is highly recommended that all US citizens sign up for these services immediately if they believe they may have been impacted. To register, visit http://changecybersupport.com or call (888) 846-4705.
Response to Change Healthcare Cyberattack
While the Change Healthcare cyberattack, did leave a notable dent in UnitedHealth Group’s earnings from operations, which included $872 million in adverse effects, the company’s adjusted earnings from operations remained resilient, excluding direct response costs attributed to the cyberattack.
As per the press release in April, In light of the cyberattack’s potential implications on claims receipt timing, UnitedHealth Group exercised prudence by allocating an additional $800 million towards claims reserves in the first quarter, reflecting a proactive approach to manage potential future impacts on its financial stability.
Looking beyond the immediate financial repercussions, UnitedHealth Group remains focused on maintaining consistent care patterns and supporting its care providers through accommodations necessitated by the cyberattack, as evidenced by a medical care ratio of 84.3% in the first quarter of 2024.
Despite the turbulence induced by the cyberattack on Change Healthcare, UnitedHealth Group reaffirmed its commitment to shareholder value by returning $4.8 billion through dividends and share repurchases in the first quarter.