Boston — The Massachusetts Attorney General’s Office (AGO) announced today that it is taking action to inform consumers who may have had their personal information breached in Change Healthcare’s unprecedented cyberattack this past February. Change Healthcare is owned by UnitedHealth Group, the nation’s largest health insurer.
In April, Attorney General Andrea Campbell joined other attorneys general in sending a letter to UnitedHealth Group, Inc. urging the corporation to take more meaningful action to better protect providers, pharmacies, and patients harmed by the recent breach.
Typically, when there is a data breach impacting Massachusetts residents, consumers receive an individualized letter or email if their data was impacted. However, Change Healthcare has not yet provided individual notice to consumers.
Change Healthcare has publicly stated that the data breach, which interrupted operations for thousands of doctor’s offices, hospitals, and pharmacies, could impact up to one-third of all Americans. It also resulted in Americans’ sensitive health and personal data being leaked onto the dark web—a hidden portion of the Internet where cyber criminals buy, sell, and track personal information.
Given the delay between the data breach and notification to those impacted, the Massachusetts Attorney General’s Office is publicizing not just the breach but also resources, including the offer that Change Healthcare has provided to the public.
Change Healthcare is offering all Massachusetts residents who believe they may have been impacted free credit monitoring and identity theft protections for two years. The dedicated website and call center can guide individuals through setting up free credit card monitoring and identity theft protections but will not be able to provide individuals with details about whether their data was impacted.
Because the actual number and identity of affected patients are not yet known, the AG’s Office encourages everyone to be aware of and utilize the following resources:
- Learn more about the cyberattack at Change Healthcare Consumer support page - UnitedHealth Group.
- Enroll in free credit monitoring through IDX at Change Healthcare Consumer support page - UnitedHealth Group or by calling 1-888-846-4705
Be aware of potential warning signs that someone is using their medical information. The signs include:
- Receiving a bill from their doctor for services they did not receive;
- Errors in their Explanation of Benefits statement like services they never received or prescription medications they do not take;
- Receiving a call from a debt collector about a medical debt they do not owe;
- Medical debt collection notices on their credit report that they do not recognize;
- Receiving a notice from their health insurance company indicating they have reached their benefit limit; or
- Being denied insurance coverage because their medical records show a pre-existing condition they do not have.
If consumers are concerned that their data may have been impacted but prefer not to use the free resources provided by Change Healthcare, they can also consider freezing their credit.
A credit freeze prevents potential creditors—such as banks or lenders—from accessing individual’s credit reports. This will stop identity thieves from taking out new loans or credit cards in consumer’s names because creditors will not approve their loans or credit requests if they cannot first access their credit reports. By law, a credit bureau must allow you to place, temporarily lift, or remove a credit freeze for free.
More information about how to place a credit freeze can be found on the AGO’s website: https://www.mass.gov/info-details/freeze-your-credit.
Change Healthcare is the nation’s biggest electronic data clearinghouse. Change Healthcare's technological infrastructure is used by tens of thousands of providers, pharmacies, and insurers to verify insurance, confirm pre-authorization of procedures or services, exchange insurance claim data, and perform other administrative tasks essential to delivering healthcare.
Cyberattacks in the healthcare sector have increased in both frequency and severity in recent years. Data breaches involving protected health information covered by HIPAA are required to be reported to the U.S. Department of Health & Human Services - Office for Civil Rights (hhs.gov), which maintains a portal of reported breaches. Since the beginning of this year, the portal shows data breaches impacted nearly 38 million individuals' protected health information.
Joining Massachusetts Attorney General Andrea Joy Campbell in sharing these consumer protection resources is a bipartisan group of attorneys general from across the country.