Change Healthcare is one of the largest health payment processing companies in the world, working with a variety of hospitals, medical centers and pharmacies to manage patient data and billing. The company oversees an estimated 15 billion medical claims annually, the Committee on Energy and Commerce reports.
Multiple VERIFY readers, including Robert and Cynthia, reached out to ask if the company had a data breach and whether letters sent in the mail about the breach were legitimate.
THE QUESTION
Are Change Healthcare data breach letters real?
THE SOURCES
- Change Healthcare
- U.S. Department of Health and Human Services
- American Medical Association
- The Committee on Energy and Commerce
- A survey conducted in March 2024 by the American Hospital Association
THE ANSWER
Yes, Change Healthcare data breach letters are real.
WHAT WE FOUND
Letters about a Change Healthcare data breach are real. The company is sending out notices by mail as it investigates who is affected and to what extent by a cybersecurity attack it faced in February. Change Healthcare estimates that a significant amount of people in America were impacted, and those affected are receiving letters on a rolling basis.
Change Healthcare says it became aware of a cyberattack on Feb. 21, 2024. The company notified people of the data breach on April 22, 2024 after investigations began. The healthcare payment company says it began sending out letters to notify those affected in July.
VERIFY reviewed a copy of a letter sent to a reader and found the details about the data breach matched up with the details on the official Change Healthcare website. The letter also provides recipients with a contact phone number for additional questions. This number, 1-866-262-5342, matches up with the contact number provided on Change Healthcare’s data breach notice.
The letter also sends recipients to changecybersupport.com, which directs people to an official website run by Unitedhealth Group, which Change Healthcare is a part of.
Those affected by the data breach may have had their health insurance information, medical records, billing data or personal information, like Social Security or ID numbers, accessed without authorization, Change Healthcare says.
Change Healthcare had access to this information as their systems are used to process billions of health insurance claims annually. Insurance programs that have used Change Healthcare systems include US Family Health Plan and Medicare.
The U.S. Department of Health and Human Services also confirmed the cybersecurity incident, adding that the Office for Civil Rights has also launched an investigation looking into the company’s compliance with Health Insurance Portability and Accountability Act (HIPAA) rules.
HIPAA restricts the release of private medical information without someone’s consent. Health insurance companies, health care providers and health care clearinghouses are among the entities required to follow HIPAA regulations.
While Change Healthcare has not given a specific number of individuals affected, the company says a “substantial proportion of people in America” may have been impacted and are currently being notified by mail.
The cyberattack that occurred in February resulted in disruptions at hospitals and medical centers, as payments were not able to be processed while the system was down, the Committee on Energy and Commerce says.
Many medical centers also reported issues verifying patient eligibility and benefits, according to the American Medical Association.
A survey of 1,000 hospitals conducted in March 2024 by the American Hospital Association found that 74% of hospitals reported the cyberattack impacted patient care, and 94% reported financial impacts.
After becoming aware of the breach, Change Healthcare says it shut down its servers and launched an investigation. The company says it also “reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future.”
In the aftermath of the breach, Change Healthcare is providing customers two years of credit monitoring for free. It also recommends customers monitor their medical and banking statements for any unexplained activity.
Several lawsuits have been filed in relation to the breach, and they are currently being consolidated in the United States District Court for the Middle District of Tennessee.
The VERIFY team works to separate fact from fiction so that you can understand what is true and false. Please consider subscribing to our daily newsletter, text alerts and our YouTube channel. You can also follow us on Snapchat, Instagram, Facebook and TikTok. Learn More »