Change Healthcare Data Breach Affects 100 Million Americans

Unsplash | Published: November 21, 2024

What To Do If You Got a Change Healthcare Data Breach Notice

Consumers are reporting receiving data breach notices from Change Healthcare and United Health Group, in one of the biggest medical data breach attacks in United States history. A Russian hacker group claimed that they were able to extort $22 million from UnitedHealth Group, and to steal the medical information and sensitive data such as medical history and social security numbers from nearly 100 million Americans.

In February 2024, Change Healthcare, a healthcare technology company owned by UnitedHealth Group, fell victim to a devastating cyberattack that has since been revealed as the largest known breach of protected health information in U.S. history. The incident, which began on February 21, 2024, has affected approximately 100 million individuals and much of their medical personally identifiable information. Change Healthcare's parent, UnitedHealth Group, the biggest U.S. healthcare insurance company.

What is Change Healthcare (CHC)?

Change Healthcare processes 15 billion healthcare transactions annually for providers with services that directly affect patient care such as eligibility verifications, pharmacy operations, claims transmittals, and payments. In addition to leaking extremely protected patient information, the data breach resulted in massive bottlenecks that disrupted hospitals, clinics and doctors offices from providing services and prevented some doctors from receiving compensation.

Which Data Did Change Healthcare Compromise?

The compromised data varies for each individual affected but is stated as potentially including:

• Contact information (name, address, date of birth, phone number, email)
• Health insurance data (health plans/policies, insurance companies, member/group ID numbers)
• Health data (medical record numbers, doctors, diagnoses, medicines, test results)
• Billing and payment information
• Personal data (Social Security numbers, driver's license numbers)

Change Healthcare Disruption to Medical Services

The breach has caused significant disruptions across the healthcare sector. Change Healthcare's CEO, Andrew Witty, testified to Congress in May that the breach exposed sensitive data for what could be a "substantial proportion of people in America". Change Healthcare began notifying affected individuals by mail in late July 2024, with notifications continuing on a rolling basis. Change Healthcare came under fire by Congress for taking too long to notify the public about the data breach and ransomware attack. The company has offered free online credit monitoring and identity restoration services through IDX for two years to those affected.

As of February 2025, Change Healthcare announced that its clearinghouse services have been fully restored, nine months after the initial attack. However, some services, such as MedRx pharmacy electronic claims for medical service and Clinical Exchange, are still only partially fixed.

How is Change Healthcare Responding to the Data Breach?

To mitigate the financial impact on healthcare providers, UnitedHealth Group established a Temporary Funding Assistance Program, providing approximately $8.5 billion in loans. As of October 15, 2024, around $3.2 billion of these loans had been repaid.

Change Healthcare included information in their data breach notices about free credit monitoring and identity restoration services offered through IDX for two years. CHC also recommended the following steps to mitigate or prevent further damage to consumers:

• Obtaining free credit reports regularly to check for any irregular credit activity using your stolen identity, credentials, or financial information
• Consider placing a fraud alert or security freeze on your credit as an added protective measure
• Changing passwords for potentially compromised accounts

Change Healthcare Data Breach Notice Sent Out

Change Healthcare has sent millions of consumers data breach notices by mail that their sensitive personal financial and medical data was compromised in the cyberattack that began on February 21, 2024.

The notices were sent out on a rolling basis, with some New Yorkers receiving them as late as October 2024, even though the attack was in February 2024. It is also very important to verify the legitimacy of these notices through official sources before taking action.

Change Healthcare Class Action Settlement?

Historically, many medical data breaches have resulted in multi-million dollar class action lawsuits to compensate affected individuals. The Equifax data breach class action settlement recently sent a second round of payments to millions of qualified class action claimants who filed valid claim forms on time.

Since the Change Healthcare data breach has resulted in the compromise of sensitive personal and health information, including contact details, health insurance data, medical records, and financial information, it is possible that Change Healthcare may face class action lawsuits filed in the future, but as of now, there is no confirmed information about such lawsuits. Make sure to check back here regularly for updates.

While a class action lawsuit has not yet been filed, there are several ongoing investigations and potential legal challenges stemming from the massive impact of the Change Healthcare data breach:

This extensive data exposure could potentially lead to legal action by affected individuals. While a class action lawsuit is not explicitly mentioned, the search results indicate that there are ongoing investigations and potential legal challenges related to the breach:

• The Office for Civil Rights has opened an investigation into Change Healthcare and some of its business associates governed by HIPAA.

• The Department of Health and Human Services' Office for Civil Rights is investigating to determine whether Change Healthcare was fully compliant with HIPAA rules prior to the attack.

• The U.S. Congress, specifically, Senators Ron Wyden and Mark Warner, are pushing for major reforms, including removing the cap on financial penalties for HIPAA violations and introducing potential jail time for CEOs who misrepresent their companies' cybersecurity measures to the federal government.

How Do I Find Class Action Settlements?

Find all the latest class actions you can qualify for by getting notified of new lawsuits as soon as they are open to claims:

Other Data Breaches: Data Breach Lawsuits

Learn More

Filing Class Action Settlement Claims

Please note that your claim form will be rejected if you submit a settlement claim for payout with any fraudulent information. By providing this information and your sworn statement of its veracity, you agree to do so under the penalty of perjury. You would also be harming others that actually qualify for the class action settlement. If you are not sure whether or not you qualify for this class action settlement, visit the class action administrator's website below. OpenClassActions.com is only providing information and is not a class action administrator or a law firm. OpenClassActions is a participant in the Amazon affiliate advertising program and this post may contain affiliate links, which means we may earn a commission or fees if you make a purchase via those links.

For more class actions keep scrolling below.