Policyholder communications in the wake of UnitedHealth cyberbreach
The cyberattack may have affected 'a substantial proportion of people in America.'
Communicating with impacted parties in the aftermath of a cybersecurity event is essential to business-reputation protection as well as regulatory compliance.
UnitedHealth’s Change Healthcare subsidiary said recently that it has started to notify people who may have been affected by a massive ransomware attack that hit its information systems in late February 2024.
In April, Change Healthcare suggested that the attack may have affected “a substantial proportion of people in America.”
See also: Top cybersecurity concerns for insurers in 2024
Change Healthcare did not provide a new estimate for how many people will be on the breach notice list, but it has “identified certain customers whose members’ or patients’ data was involved in the incident,” according to an official attack notice posted Thursday.
Change expects to start mailing paper notices to the people affected in late July.
UnitedHealth acquired Change Healthcare , a large information clearinghouse for medical, insurance and prescription information, in 2022. Because Change Healthcare provided information services for so many health care system players, the attack ended up crippling operations at many hospitals and physician practices for weeks.
Although Change Healthcare “does not yet know the full extent of data impacted by individual and related covered entity customer, for purposes of individual notice, it is notifying those impacted customers it has identified so they can take action,” the company said.
For some customers, the records stolen may have included Social Security numbers, driver’s license numbers and passport ID numbers.
Change Healthcare “continues to see no evidence that materials such as doctors’ charts or full medical histories were exfiltrated from its systems,” the company said.
The company is offering to pay for two years of credit monitoring and identity theft protection services from IDX for people affected by the attack.
Sen. Marsha Blackburn, R-Tenn., and Sen Maggie Hassan, D-N.H., note that they asked UnitedHealth CEO Andrew Witty earlier this month to provide breach notices by June 21, and that Witty had testified at a House hearing May 1 that the breach may have exposed the data of about one-third of all Americans.
Blackburn and Hassan said they are glad that the company has now posted a breach notice.
But the company “should have done this months ago,” the senators said.
Related: