Yes, the Change Healthcare data breach letter is real (2024)

Change Healthcare is one of the largest health payment processing companies in the world, working with a variety of hospitals, medical centers and pharmacies to manage patient data and billing. The company oversees an estimated 15 billion medical claims annually, the Committee on Energy and Commerce reports.

Multiple VERIFY readers, including Robert and Cynthia, reached out to ask if the company had a data breach and whether letters sent in the mail about the breach were legitimate.

THE QUESTION

Are Change Healthcare data breach letters real?

THE SOURCES

THE ANSWER

Yes, Change Healthcare data breach letters are real.

WHAT WE FOUND

Letters about a Change Healthcare data breach are real. The company is sending out notices by mail as it investigates who is affected and to what extent by a cybersecurity attack it faced in February. Change Healthcare estimates that a significant amount of people in America were impacted, and those affected are receiving letters on a rolling basis.

Change Healthcare says it became aware of a cyberattack on Feb. 21, 2024. The company notified people of the data breach on April 22, 2024 after investigations began. The healthcare payment company says it began sending out letters to notify those affected in July.

VERIFY reviewed a copy of a letter sent to a reader and found the details about the data breach matched up with the details on the official Change Healthcare website. The letter also provides recipients with a contact phone number for additional questions. This number, 1-866-262-5342, matches up with the contact number provided on Change Healthcare’s data breach notice.

The letter also sends recipients to changecybersupport.com, which directs people to an official website run by Unitedhealth Group, which Change Healthcare is a part of.

Those affected by the data breach may have had their health insurance information, medical records, billing data or personal information, like Social Security or ID numbers, accessed without authorization, Change Healthcare says.

HIPAA restricts the release of private medical information without someone’s consent. Health insurance companies, health care providers and health care clearinghouses are among the entities required to follow HIPAA regulations.

While Change Healthcare has not given a specific number of individuals affected, the company says a “substantial proportion of people in America” may have been impacted and are currently being notified by mail.

The cyberattack that occurred in February resulted in disruptions at hospitals and medical centers, as payments were not able to be processed while the system was down, the Committee on Energy and Commerce says.

Many medical centers also reported issues verifying patient eligibility and benefits, according to the American Medical Association.

A survey of 1,000 hospitals conducted in March 2024 by the American Hospital Association found that 74% of hospitals reported the cyberattack impacted patient care, and 94% reported financial impacts.

After becoming aware of the breach, Change Healthcare says it shut down its servers and launched an investigation. The company says it also “reinforced its policies and practices and implemented additional safeguards in an effort to prevent similar incidents from occurring in the future.”

In the aftermath of the breach, Change Healthcare is providing customers two years of credit monitoring for free. It also recommends customers monitor their medical and banking statements for any unexplained activity.

Several lawsuits have been filed in relation to the breach, and they are currently being consolidated in the United States District Court for the Middle District of Tennessee.