One year later, UnitedHealth still sending breach notices from massive hack at Change Healthcare

A UnitedHealth Group subsidiary is still mailing data breach notices to patients one year after a massive cyberattack at the company’s Change Healthcare business that affected roughly 1 in 2 Americans.

The Minnesota Star Tribune reviewed a notice received Monday by a patient in the Twin Cities, whose letter said the breach “may have involved your data.” The notice is largely the same as what patients started receiving last summer.

It’s not clear how many Minnesotans were affected, but data from Google Analytics suggest a recent surge in website searches across the state related to Change Healthcare. A company spokesman did not say how many notices are being distributed this month.

Eden Prairie-based UnitedHealth Group first disclosed the cyberattack on Feb. 22, 2024. In January, the company said the impact from the hack was much wider than previously understood, affecting roughly 190 million patients — up from previous estimates of about 100 million people.

“Mailings have been ongoing and will continue to go out to help ensure notification,” UnitedHealth Group said in a Monday statement.

The breach notice says the data that may have been seen and taken includes patient contact information, plus information ranging from health plan ID numbers and patient diagnoses to Social Security numbers.

UnitedHealth Group is offering free credit monitoring and identity protection services.

“On February 21, 2024, [Change Healthcare] found activity in our computer system that happened without our permission,” the notice says. “We quickly took steps to stop that activity. … On March 7, 2024, we learned a cybercriminal was able to see and take copies of some data in our computer system.”

Despite antitrust concerns at the time, UnitedHealth Group’s Optum division for health care services acquired Change Healthcare for about $13 billion in 2022.

The cyberattack disrupted pharmacies and much of the nation’s health care system because, in order to contain the threat, UnitedHealth Group had to shut down a widely used data clearinghouse for processing claims. The system handles the medical claims of many insurers, not just the company’s UnitedHealthcare unit.

UnitedHealth Group says it has since repaired the affected systems at Change Healthcare.

In December, the attorney general in Nebraska sued the company, saying the cyberattack could have been prevented. Meanwhile, lawsuits filed by dozens of patients and health care providers alleging negligence, unjust enrichment and consumer protection claims have been consolidated in a multidistrict litigation proceeding in the U.S. District Court of Minnesota.

Defendants named in the lawsuits include UnitedHealth Group, Change Healthcare and Optum.

“In light of defendants' anticipated motion to dismiss, the court finds there is good cause to delay the entry of a pretrial scheduling order,” U.S. District Judge Donovan Frank wrote in a Feb. 19 notice to attorneys.

The Federal Trade Commission offers advice for people affected by a data breach at IdentityTheft.gov/databreach. Credit bureaus such as Experian also offer detailed advice on how to respond.

UnitedHealth Group is offering free credit monitoring and identity protection services through IDX. To enroll, people can use the link at changecybersupport.com or call toll-free 888-846-4705. For additional support from Change Healthcare, consumers can call toll-free 866-262-5342.