You’ve probably already heard about the recent massive data breach that left the personal information of millions of Americans vulnerable to hacking groups and dark web marketplaces.
But this isn’t the only data breach to watch out for: Change Healthcare, a subsidiary of global healthcare giant UnitedHealth, suffered a major cyberattack earlier this year.
As a result, personal health information for about a third of Americans may have been exposed on the dark web, UnitedHealth CEO Andrew Whitty told the House Energy and Commerce Committee in May, and the company is gradually notifying affected people this summer.
This latest data breach follows breaches at Cashapp, Zelle and HCA Healthcare so far this year, as well as a national public data breach reported this month.
Here’s what you need to know about the Change Healthcare hack and how to best protect yourself.
What is Change Healthcare?
Change Healthcare is one of the largest healthcare payment processors in the world, powering billing and insurance processes for thousands of health systems, including over 50 hospitals, clinics and pharmacies across Wisconsin.
The company is also a clearinghouse that processes 15 billion medical claims each year, about 40% of all claims, according to the House Energy and Commerce Committee.
When and how did the Change Healthcare hack happen?
According to an official statement from Change Healthcare, the company became aware of the presence of ransomware (software that blocks access to a system until the owner pays a ransom to hackers) on its computer systems on February 21.
The following month, the company confirmed that a “substantial amount of data had been leaked” from its systems between February 17 and 20.
After calling Whitty to testify in May, the House Energy and Commerce Committee concluded that the hack occurred because the company had not implemented multi-factor authentication on one of its systems.
What information was stolen in the Change Healthcare hack?
Change Healthcare says it can’t confirm exactly what information was stolen for each affected person, but if you were affected, any of the following information may now be at risk:
- Contact and Personal Information (such as name, address, date of birth, Social Security Number, driver’s license or state ID or passport number, phone number, email)
- Health insurance information (e.g., primary, secondary, other health insurance/policies, insurance company, member/group ID number, Medicaid, Medicare, government payer ID number, etc.)
- Health Information (e.g., medical record number, healthcare provider, diagnosis, medications, test results, images, care, treatment)
- Billing, invoicing and payment information (such as billing numbers, account numbers, billing codes, payment cards, financial and banking information, amounts paid and balances due)
How to know if your information has been stolen
The best way to find out if your information was stolen is to keep an eye out for notifications from Change Healthcare. The company has been notifying people who may have been affected by the attack since June, including through written letters.
Change Healthcare also recommends monitoring your health and financial statements for any suspicious activity. Here are some reports to look out for:
- Explanation of benefits statement received from health insurance
- Statement from your healthcare provider
- Bank and credit card statements
- Credit Report
- Tax returns
What to do if your information is stolen?
If you believe your information has been stolen, there are several steps you can take, including some specifically recommended by Change Healthcare.
- Anyone who believes their information may have been affected by this incident can sign up for two years of free credit monitoring and identity protection services, and CHC will cover the cost of these services for two years.
- If you notice that you received medical services that were not listed on your statement of benefits, contact your health insurance or doctor to report it.
- If you notice any suspicious activity on your bank or credit card statement or tax return, contact your financial institution and credit card company immediately.
- If you believe you have been a victim of identity theft, you can report it to the Federal Trade Commission at identitytheft.gov.
more:Your identity and social security number could be stolen. Here’s what you need to know and what to do.
Should I freeze my credit?
One way to protect yourself against fraud is to freeze your credit, which limits access to your credit report, making it less likely that identity thieves will be able to open new accounts in your name.
To place a freeze, you’ll need to contact each of the three major credit reporting agencies online, by phone, or by mail. According to the U.S. General Services Administration, credit reports submitted by credit reporting agencies online or by phone must be frozen within one day. Freeze requests sent by mail must be fulfilled within three business days.
The freeze will remain in effect until you ask the credit bureau to temporarily lift or remove it. If you request the freeze to be lifted online or over the phone, it must be lifted within one hour, and if you request it by mail, it must be lifted within three business days.
Here’s how to contact each credit reporting agency:
Equifax
- online: Visit the Equifax Credit Freeze page.
- By phone: Call Equifax at 800-685-1111.
- By mail: Send your request to Equifax, PO Box 105788, Atlanta, GA 30348. Attach your name, address, Social Security number, and a copy of a document verifying your identity (such as a driver’s license, utility bill, or bank statement).
Experian
- online: Visit the Experian Credit Freeze page.
- By phone: Call Experian at 888-397-3742.
- By mail: Send your request to Experian Security Freeze, PO Box 9554, Allen, TX 75013. Include your name, address, Social Security number and proof of identification.
Trans Union
- online: Visit the TransUnion Credit Freeze page.
- By phone: Please call TransUnion at 888-909-8872.
- By mail: Send your request to TransUnion, PO Box 160, Woodlyn, PA 19094. Include your name, address, Social Security number, and proof of identification.
