Hackers made off with Social Security numbers, credit card information, medical histories and more in the February cyberattack on a UnitedHealth Group subsidiary, the company disclosed Thursday.
The Minnetonka-based health care behemoth revealed greater detail on the type of consumer data compromised and a timeline for contacting those affected in a filing to the U.S. Department of Health and Human Services and a news release.
As many as one-third of Americans may have had some or all of that data swiped, but a full picture of who was affected and in what way is still not available. The company said it will begin sending out notices to affected customers Thursday, but it could take until late July for individuals to begin receiving notice.
“While the data review is in its late stages, we continue to provide credit monitoring and identity theft protection to people concerned about their data potentially being impacted,” Change Healthcare said in a statement.
UnitedHealth, the state’s largest company and the nation’s largest health insurer, acquired Change Healthcare in late 2022. CEO Andrew Witty told lawmakers last month the company was still in the process of upgrading security when the ransomware attack happened.
UnitedHealth paid a $22 million ransom to resolve the hack, but it left a long trail of disruption across the U.S. health care system.
Change Healthcare processes 15 billion health care transactions annually, according to the federal government, and is involved in one in every three patient records. The payment system was shut down in the wake of the attack and froze payments to health care organizations around the country, affecting patient access to medications and services.
“To all those impacted, let me be clear: I’m deeply, deeply sorry,” Witty said at a congressional grilling in May.
Thursday’s disclosure marks “the next step in the process” toward providing full notice, Change Healthcare said.
The updated HIPAA notice said some health care customers will soon be notified that their members or patients were affected in order to direct them toward assistance.
“CHC plans to send direct notice (written letters) at the conclusion of the data review, as required, to affected individuals identified,” the filing said. “The mailing process is expected to begin in late July as CHC completes quality assurance procedures.”
The company recommends keeping an eye on bank and credit card statements, medical bills and credit reports and filing a police report if a crime is suspected.
___
© 2024 StarTribune
Distributed by Tribune Content Agency, LLC.
