Regulators across multiple U.S. states are alerting consumers to remain vigilant against identity theft and fraud due to a significant ransomware attack on Change Healthcare. The breach, which occurred in February, could potentially impact millions of patients as they await individual notifications from the company. Attorneys general from states such as California, Massachusetts, and New Hampshire have advised consumers to use the two years of free identity and credit monitoring offered by Change Healthcare while waiting for further information.
The delay in notifying affected individuals has frustrated state officials, who typically expect timely, individualized communication following such breaches. Massachusetts Attorney General Andrea Campbell highlighted that Change Healthcare has yet to provide personal notices to those impacted, which is a standard practice following breaches affecting state residents. The breach has compromised sensitive health and personal data, which is now reportedly being traded on the dark web.
Change Healthcare, which handles critical services for numerous healthcare entities, including hospitals and pharmacies, has faced criticism for its slow response. The company has announced that notifications to individuals will likely start in late July, while the data review process is still ongoing. This has led to further concerns and speculation about the extent of the breach and the company’s overall handling of the situation.
In response to the attack, which has been linked to the BlackCat ransomware group, UnitedHealth Group reportedly paid a $22 million ransom, though some stolen data was leaked by another group called RansomHub. The ongoing investigation by the Department of Health and Human Services and possible state-led actions reflect the gravity of the breach and its impact on the healthcare sector. UnitedHealth Group has declined to comment on the current status of notifications and investigation updates.
