Change Healthcare Data Breach

Concord, NH – Attorney General John M. Formella announces that in February 2024, Change Healthcare, a unit of UnitedHealth, the nation’s largest electronic data clearinghouse, experienced a significant cyberattack.  Change Healthcare is the nation’s largest electronic data clearinghouse used by tens of thousands of providers, pharmacies, and insurers to verify insurance, confirm pre-authorization of procedures or services, exchange insurance claim data, and perform other administrative tasks essential to the delivery of health care.  

The February cyberattack interrupted operations for thousands of doctors’ office, hospitals, and pharmacies.  It also resulted in Americans’ sensitive health and personal data being leaked onto the dark web - a hidden portion of the internet where cyber criminals buy, sell, and track personal information. Although the actual number and identity of affected patients are currently unknown, Change Healthcare has publicly stated that the data breach could impact up to 1/3 of all Americans.  This was an unprecedented data breach.

Typically, when there is a data breach impacting New Hampshire residents, consumers receive an individualized letter or email if their data was impacted. However, Change Healthcare has not yet provided individual notice to consumers.  In April, Attorney General Formella joined other attorneys general in sending a letter to UnitedHealth Group, Inc. — the nation’s largest health insurer and the parent company of Change Healthcare — urging the corporation to take more meaningful action to better protect providers, pharmacies, and patients harmed by the recent breach.

Given the delay between the data breach and notification to those impacted, Attorney General Formella is publicizing not just the breach, but also resources, including the offer that Change Healthcare has provided to the public. Attorney General Formella is sharing consumer protection reminders and raising awareness about the availability of free credit monitoring and identity theft protection services following Change Healthcare’s February data breach. 

“This data breach is deeply concerning. Thousands of healthcare providers, pharmacies, and insurers rely on Change Healthcare's services, making the exposure of sensitive health and personal data to cybercriminals a significant threat to public trust and security. Despite the magnitude of this breach, the delay in notifying affected individuals is unacceptable. Alongside my counterparts from across the country, I have called upon UnitedHealth Group to take swift and meaningful action to protect those impacted and prevent future breaches,” said Attorney General Formella. “In the meantime, it is crucial that individuals remain vigilant and monitor any suspicious activity related to their medical or financial information. We will continue to advocate for consumer rights and hold accountable those responsible for this breach.”

Change Healthcare is offering all New Hampshire residents who believe they may have been impacted free credit monitoring and identity theft protections for two years. The dedicated website and call center will not be able to provide individuals details about whether their data was impacted but can guide them through getting set up for the free credit monitoring and identity theft protections.  Since Change Healthcare has not yet provided notice to individuals and the impact is very significant, the safest course of action is for everyone to assume that their information has been involved.  

•    For information visit Change Healthcare Consumer support page - UnitedHealth Group.
•    To enroll in credit monitoring through IDX use the link at: Change Healthcare Consumer support page - UnitedHealth Group or call 1-888-846-4705. 
•    For additional support from Change Healthcare call 1-866-262-5342. 

Consumers should be aware of potential warning signs that someone is using their medical information. The signs include: 

•    A bill from their doctor for services they did not receive. 
•    Errors in their Explanation of Benefits statement like services they never received or prescription medications they do not take. 
•    A call from a debt collector about a medical debt they do not owe. 
•    Medical debt collection notices on their credit report that they do not recognize. 
•    A notice from their health insurance company indicating they have reached their benefit limit; or 
•    They are denied insurance coverage because their medical records show a pre-existing condition they do not have. 
If consumers are concerned that their data may have been impacted but prefer not to use the free resources provided by Change Healthcare, they can also consider:

•    Freezing their credit.

A credit freeze prevents creditors—such as banks or lenders—from accessing individual’s credit reports. This will stop identity thieves from taking out new loans or credit cards in consumer’s names because creditors will not approve their loans or credit requests if they cannot first access their credit reports. By law, a credit bureau must allow you to place, temporarily lift, or remove a credit freeze for free.

When consumers freeze their credit with each bureau, the bureaus will send them a personal identification number. The consumers can then use that PIN to unfreeze their credit if they want to apply for a loan or credit card. Consumers can also use the PIN to freeze their credit again after they have applied for loans or a new credit card.

Individuals will have to freeze their credit with each bureau: Experian, Equifax, and TransUnion.

o    Equifax | https://www.equifax.com/personal/credit-report-services/credit-freeze/
    +1 (888) 766-0008

o    Experian | https://www.experian.com/freeze/center.html
    +1 (888) 397-3742

o    TransUnion | https://www.transunion.com/credit-freeze
    +1 (800) 680-7289

Cyberattacks in the healthcare sector have increased in both frequency and severity in recent years. Data breaches involving PHI are required to be reported to the U.S. Department of Health & Human Services - Office for Civil Rights (hhs.gov) by HIPAA-covered entities. Since the beginning of this year, the portal shows data breaches impacted the PHI of nearly 38 million individuals.

Joining Attorney General Formella in sharing these consumer protection resources is a bipartisan group of attorneys general from across the country.