Change Healthcare to begin notifying patients that cyberattack compromised their private info

Change Healthcare is beginning the process of notifying a “substantial proportion” of Americans that their private information, such as Social Security numbers and medical diagnoses, was compromised in the cyberattack that brought portions of the U.S. health care system to a halt earlier this year.

On Thursday, Change will begin to notify health care providers, insurance companies, and other customers that their patients’ data was stolen in the company’s February cyberattack, the company said in a statement. Change, a unit of UnitedHealth Group, plans to send letters to individual patients starting in late July.

Change Healthcare is a “clearinghouse” that helps shuttle insurance claims, approvals, benefits information, payments, and other transactions between health care providers and insurers. The organization is central to the U.S. health care system, as it processes around 15 billion transactions worth $1.5 trillion each year. When the company’s system went offline earlier this year, health care providers faced serious cash flow problems and patients struggled to pay for prescriptions. Some of its systems have yet to be restored.

Change also provided the fullest accounting yet of information that may have been stolen in the attack. The company said patients’ names, birth dates, and contact info were likely taken. It said other info that may have been compromised includes health insurance information, diagnoses, prescriptions, test results, diagnostic images, financial and banking information, account numbers, billing codes, state ID numbers, passport numbers, and Social Security numbers.

The company reported that it has evaluated 90% of the files that were stolen and has not seen evidence that patients’ full medical histories were taken.

The company did not say how many organizations it’s notifying or how many people are affected, beyond reiterating that the breach affected “a substantial proportion of people in America.” Andrew Witty, the CEO of Change Healthcare parent company UnitedHealth, ballparked the number at around “a third” of all Americans when he was grilled in front of Congress at the beginning of May.

Change said it will take responsibility for notifying patients about the data breach, unless the patient’s provider or insurer decides to do so instead. Health care provider groups complained about uncertainty over whether they would be liable for making notifications for Change’s incident, even after the Department of Health and Human Services announced at the end of May that Change would be legally allowed to notify patients.

Senators Maggie Hassan (D-N.H.) and Marsha Blackburn (R-Tenn.) recently demanded that the company commit to taking responsibility for notifying patients about the data breach. In a letter to Witty, they asked that the notifications be sent no later than June 21.

The lawmakers also accused Change Healthcare of being in violation of HIPAA rules around reporting data breaches to the government and impacted parties within 60 days of discovering the breach. The HHS Office of Civil Rights told STAT it was not able to comment on whether it had received a notification from Change because it has an ongoing investigation of the case.

Change said that it may not be able to notify some people whose data was compromised, because it doesn’t have their address.

Change and UnitedHealth have set up a website and call center where people who believe they were affected can set up free credit monitoring for two years and get support from “trained clinicians.” In the Congressional hearing, Sen. Ron Wyden (D-Ore.) called this the “thoughts and prayers of data breaches” and “absolutely inefficient.”

The Medicare program in the past week announced that it is extending the deadline for providers and insurers to submit information related to disputes over surprise bills because of disruption stemming from the cyberattack, as well as ending its advanced payment loan program for Medicare providers affected by the cyberattack. The agency said that it issued nearly $3.3 billion though the program and had already been paid back for 96% of that, due to providers and suppliers being able to successfully bill Medicare.