What to Know About the Change Healthcare Data Breach

More than 100 million people have been notified by Change Healthcare that their personal and medical information may have been stolen in a data breach, according to a filing the company made with the U.S. Department of Health and Human Services.

In May, the CEO of Change Healthcare’s parent company, UnitedHealth Group, said in testimony before the Senate Finance Committee that the data of a “substantial proportion of people in America” could have been exposed. However, the company didn’t specify the number of individuals impacted until its recent filing with HHS.  With 100 million Americans impacted, the breach is the largest exposure of medical data in the U.S.

How the Change Healthcare breach happened

Change Healthcare, which processes payments and claims for health providers and insurance plans, discovered that cybercriminal group ALPHV/BlackCat had deployed a ransomware attack inside Change Healthcare’s computer system on February 21, 2024, according to UnitedHealth Group CEO Andrew Witty's Senate testimony. The attack prevented the company from accessing its system and disrupted healthcare and billing information systems nationwide. 

UnitedHealth Group paid ALPHV/BlackCat a $22 million ransom to secure the data, but the group took the money without returning the stolen data, according to Forbes.

On March 7, the company confirmed that a large amount of data had been extracted. On April 22, it confirmed that the impacted data could cover a large portion of people in the U.S., according to UnitedHealth Group. Change Healthcare then began notifying individuals who were affected in late July. 

What data was exposed

In letters to affected individuals, Change Healthcare said that the following information was exposed:

• Health insurance data, such as insurance plan member and group ID numbers and Medicare and Medicaid ID numbers
• Health data, such as medical record numbers, diagnoses, medicines, test results and treatment
• Billing, insurance claims and payment data, including financial and banking information
• Personal data, such as Social Security numbers, driver’s license numbers and other ID numbers

How the data could be exploited

The information that was exposed could be used by the cybercriminals or others who purchase the information in a variety of ways.

• Identity theft: Personal information such as Social Security numbers can be used to steal people’s identities and open fraudulent accounts, claim government benefits, create fake IDs or file tax returns in their names. 
• Medical identity theft: Thieves can use insurance information that was stolen to get medical care, buy prescription drugs, buy medical devices or submit fraudulent claims with insurance providers.
• Financial fraud: Payment information that was exposed could be used for fraudulent transactions or to take over people’s financial accounts.
• Targeted scams: Thieves could use the personal information stolen to target individuals by phone, email or mail with fake offers to protect their data or with messages related to their health care to prompt them to provide more information or payments.  

‍

How to protect yourself after the Change Healthcare breach

Take these steps immediately to reduce the risk of becoming a victim of identity theft and financial fraud following the Change Healthcare data breach. Even if your personal information wasn’t exposed in this breach, putting these protections in place now can help if future breaches impact you.

Be on the lookout for medical fraud. Pay close attention to insurance Explanation of Benefits statements and medical bills for treatment you didn’t receive. Alert your health insurance provider to any fraudulent claims that have been filed using your information. If thieves use your Medicare information, you must contact the Medicare fraud office. 

Freeze your credit reports. Contact all three credit bureaus—Equifax, Experian and TransUnion—to place a security freeze on your credit reports. This will prevent identity thieves from opening new lines of credit in your name. 

Sign up for account, credit and identity monitoring. Change Healthcare is offering credit and identity monitoring to those impacted by the breach. However, you should consider a more comprehensive monitoring service such as Carefull, which provides 24/7 monitoring of bank, credit card and investment accounts, credit reports and identity to alert you to signs of fraud and misuse of your personal information. Plus, Careful includes up to $1 million in identity theft insurance coverage. 

‍

Try Carefull for free for 30 days to protect your finances, credit and identity.

‍

Create a my Social Security account. If criminals get your Social Security number and other personal information, they may be able to set up a my Social Security account in your name if you haven’t done so already. Visit SSA.gov/myaccount/ to create a free account to view and manage your benefits online.

Watch for signs of identity theft. Even with the protections above in place, remain vigilant for red flags that someone is misusing your identity—such as strange bills, missing bills, and rejected or missing tax refunds. Learn more about the signs of identity theft. 

If you discover that your identity is stolen, report it to local law enforcement and get a copy of the report. You also can report it to the Federal Trade Commission at IdentityTheft.gov and get a customized action plan to repair the damage.

[ Keep Reading: What to Do When Your Identity Is Stolen ]

‍