Change Healthcare Notice to Impacted Customers

What happened?
On February 21, 2024, CHC became aware of deployment of ransomware in its computer system. Once discovered, CHC quickly took steps to stop the activity, disconnected and turned off systems to prevent further impact, began an investigation, and contacted law enforcement. CHC’s security team worked around the clock with several top security experts to address the matter and understand what happened. CHC has not identified evidence this incident spread beyond CHC.

CHC retained leading cybersecurity and data analysis experts to assist in the investigation, which began on February 21, 2024. On March 7, 2024, CHC was able to confirm that a substantial quantity of data had been exfiltrated from its environment between February 17, 2024, and February 20, 2024. On March 13, 2024, CHC obtained a dataset of exfiltrated files that was safe to investigate. On April 22, 2024, following further analysis, CHC confirmed that the impacted data was likely to affect a substantial proportion of people in America.

How was my data affected?
CHC conducted an extensive review of the data to identify specific covered entities and specific individuals impacted by this security incident. Based on the data review, CHC has determined that your patients’ or members’ PHI has been affected by the incident.

What patient or member PHI/PII was potentially impacted?
While CHC cannot confirm exactly what data has been affected for each specific individual, based on its review, information involved for your affected patients and members may have included contact information (such as first and last name, address, date of birth, phone number, and email) and one or more of the following:

· Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);

· Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);

· Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or

· Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.

The information that may have been involved was not the same for every impacted individual. Also, some of this information may have related to guarantors who paid bills for health care services.

Here are some steps individuals can take to protect themselves:

· Any individual concerned that their information may have been impacted by this incident can enroll in two years of complimentary credit monitoring and identity protection services. CHC is paying for the cost of these services for two years.

· Individuals should be on the lookout and regularly monitor the explanation of benefits statements received from their health plan and statements from health care providers, as well as bank and credit card statements, credit reports, and tax returns, to check for any unfamiliar activity.

· If individuals notice any health care services they did not receive listed on an explanation of benefits statement, they should contact their health plan or doctor.

· If individuals notice any suspicious activity on bank or credit card statements or on tax returns, they should immediately contact their financial institution and/or credit card company or relevant agency.

· If an individual believes they are the victim of a crime, they can contact local law enforcement authorities and file a police report.

What has Change Healthcare done about it?
CHC worked around the clock from the day of the ransomware deployment and has devoted significant resources to the response and restoration efforts, as well as retained several expert forensic firms to analyze the impacted data. However, rather than waiting to complete this review, CHC has already been providing free credit monitoring and identity theft protection services for two years to any U.S. individual who is concerned they may have been impacted, along with a dedicated call center staffed by clinicians to provide additional support services. Individuals may also visit https://www.unitedhealthgroup.com/ns/health-data-breach.html for more information.

Privacy and security are our priorities. In response to this incident, CHC immediately took action to shut down systems and sever connectivity to prevent further impact. CHC has also reinforced its policies and practices and evaluated additional safeguards in an effort to prevent similar incidents from occurring in the future. Change Healthcare, along with leading external industry experts, continues to monitor the internet and dark web.

On June 20, 2024, CHC began providing notice to customers for whom the data review has matched specific individuals’ PHI to that customer as the covered entity or business associate. CHC is committed to compliance with legal obligations in relation to this incident as well as reducing the burden on its customers. CHC has been in ongoing discussions with the OCR regarding this incident. While substitute notice was previously discussed with the OCR, the OCR also emphasized the need for individual letters to be sent directly where there is sufficient address information to impacted individuals. To reduce the burden on impacted customers, CHC will validate addresses and will draft and send direct notice letters as required to those individuals identified through data review attributable to specific customers and for whom CHC has sufficient addresses, on behalf of impacted covered entity customers — unless those customers opt out by the specific deadline.

What if I have a question?
CHC has established a dedicated customer call center to offer additional resources and information regarding the incident. If you have any questions or concerns, please call us toll-free at 1-866-674-1298, available Monday through Friday, 8 a.m. to 8 p.m. CT.

CHC regrets any inconvenience or concern caused by this incident, and we value your partnership.

Thank you for your support as this matter is resolved.

Sincerely,

Mitch Granberg
Chief Privacy Officer