United Health Group has provided its final total number of individuals affected in this past year's massive data breach of its Change Healthcare payments clearinghouse: 192.7 million.
That's a lot more people than the company's initial estimate – almost double.
WHY IT MATTERS
The investigation and response related to the February 2024 Change Healthcare cyber incident – which disrupted patient care delivery and claims processing for months across the United States – are largely coming to a close, according to UHG.
The payer said in a July 31 letter that it had completed its review of the data, determined the scope of the incident, and finished mailing written notification letters to affected individuals.
In sending a final update on the status of the patient data breach notification process to states, such as New Hampshire, UHG described the challenges the company faced in reaching all individuals.
"Change Healthcare and its vendors have made reasonable best efforts to deduplicate individuals included in the numbers being provided today," the company said in its letter.
"However, despite those efforts, complete deduplication was not feasible."
About 1.3 million of the individuals affected by the incident were connected with healthcare organizations that did not delegate the breach notification responsibility to Change, UHG said. The letter indicates that approximately 1,252 of those individuals reside in New Hampshire.
Also on July 31, Change Healthcare updated its online HIPAA notice related to the attack with information that the incident call center, which opened June 20, 2024, will be closing Aug. 26. That will be the last day affected individuals can enroll in UHG's complimentary credit monitoring and identity protection services.
"The review of personal information potentially involved in this incident is substantially complete," UHG said in the notice.
THE LARGER TREND
Change Healthcare, which processes approximately 15 billion claim transactions for hundreds of thousands of physicians, pharmacies and others, was attacked by the BlackCat ransomware group.
In the aftermath, UHG had previously sent progress updates to states like New Hampshire on the status of patient notification letters, including those on behalf of clients who had delegated their notification responsibilities to Change.
When lawmakers grilled former UHG CEO Andrew Witty within weeks of the attack, he said that the infiltration occurred in Change's oldest systems, which were not yet updated with multifactor authentication.
He also admitted that Change paid a $22 million Bitcoin ransom after the attack, and pledged to upgrade its subsidiary with cloud-based security.
Witty was back before lawmakers in December, defending UHG against a backlash of consumer complaints against claims denials following the fatal shooting of UnitedHealthcare executive Brian Thompson at an investors conference in New York City.
ON THE RECORD
"Change Healthcare has been mailing written letters on a rolling basis to potentially impacted data owners for whom Change Healthcare has sufficient address information," UHG said in the letter. "This notifications process is now complete."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
