Attorney General Michelle Henry has announced that free credit monitoring and identity theft protection services are available to Pennsylvanians affected by a February data breach involving Change Healthcare. The company, whose parent organization is UnitedHealth Group, experienced a significant cyberattack that compromised sensitive health and personal data.
Since the breach, Change Healthcare has not individually notified consumers about the exposure of their personal information or publicized the available resources. Attorney General Henry emphasized that all Pennsylvania residents who believe they may have been impacted can access two years of free credit monitoring and identity theft protections.
“This data breach affected an estimated millions of Americans, and for the company to stay silent and minimize the widespread consumer impact is totally unacceptable,” said Attorney General Henry. “The breach involved stolen sensitive information and data, so consumers should do what they can to protect themselves going forward by utilizing these free services.”
Change Healthcare stated that the unprecedented data breach could affect up to one-third of all Americans. The cyberattack disrupted operations for numerous doctors' offices, hospitals, and pharmacies while leaking Americans' sensitive health and personal data onto the dark web.
Change Healthcare serves as a major electronic data clearinghouse in the U.S., facilitating essential administrative tasks for healthcare delivery through its technological infrastructure used by tens of thousands of providers, pharmacies, and insurers.
In April, Attorney General Henry joined other Attorneys General in urging UnitedHealth Group to take more substantial measures to protect those harmed by the breach. Despite this call for action, Change Healthcare’s dedicated website and call center will not confirm whether an individual's data was breached but can assist with setting up free credit monitoring and identity theft protections.
Given Change Healthcare's lack of individual notifications and the significant impact of the breach, it is recommended that everyone assume their information may have been compromised. Consumers should remain vigilant for signs that their medical information is being misused.
For those preferring not to use Change Healthcare's provided resources, freezing their credit remains an option. Cyberattacks in the healthcare sector have seen a rise in both frequency and severity recently. Data breaches involving Protected Health Information (PHI) must be reported to the U.S. Department of Health & Human Services – Office for Civil Rights as required by HIPAA-covered entities. Since January 2024 alone, nearly 38 million individuals have been affected by such breaches.