Change Healthcare notifies patients their medical records may have been taken in breach
Change Healthcare has posted its required HIPAA notification to alert patients whose data was taken by hackers during the February ransomware attack on its systems. In the notice, the company said protected medical records were stolen, but it “cannot confirm exactly what data has been affected for each impacted individual.”
Exposed data includes provider details, patient names, prescription information, diagnoses, test results and medical images, along with care delivery and treatment details. Additionally, the notice said, medical record numbers and health plan details may also be in the hands of cybercriminals.
In a previous statement released in April, Change Healthcare said it had “not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.” However, a posting on the dark web a few days prior had listed medical and dental records as part of a Change Healthcare data trove offered for sale.
In the post, the hackers also alleged they had personal health information on “active military/Navy personnel” along with thousands of source code files from Change Healthcare’s systems.
Change Healthcare and its parent company UnitedHealth Group have been investigating the extent of the breach, which they admitted would take months to sort out. This latest notice confirms the investigation is still ongoing.
Change Healthcare also said patients may have had their detailed contact information exposed to cybercriminals, including social security numbers and details from driver licenses and passports.
The company has begun sending notifications to impacted patients, who will all be offered identity protection services as recompense. Patients are advised to take a close look to ensure their medical bills are correct and to report any abnormalities on benefits statements to their health plans or providers.
An estimated third of all Americans likely had their data exposed in the breach, the company has previously stated. During a hearing on the Senate floor, UnitedHealth Group CEO Andrew Witty said the hack and subsequent ransomware attack was a result of a server that lacked multifactor authentication.
As the parent company of Change Healthcare, UnitedHealth has taken responsibility for sending HIPAA notifications to patients whose data was exposed during the breach.