United Healthcare breach may affect 45% of U.S. population; victims to start getting notices

Victims of a massive data breach involving the United Healthcare Group/Change Healthcare prescription claims systems are this week receiving the first official notice from the groups.

UnitedHealth had more than 152 million customers at the time of the Feb. 17-20 data breach, which means about 45% of Americans have been affected.

Change Healthcare allows insurers to communicate electronically with doctors' offices and pharmacies.

"Change Healthcare is committed to notifying potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved," the company said in a statement.

United Healthcare disclosed the cyberattack on Change on Feb. 23 — two days after the hacking was halted.

UnitedHealthcare said it isolated and disconnected the impacted systems "immediately upon detection" of the threat, but doing so interrupted pharmacy services, payment platforms and medical claims processes.

In April, the insurer confirmed it paid an undisclosed amount to resolve the hacking incident.

Some groups that track significant cybercurrency exchanges reported that $22 million was transferred to an entity known to be associated with Blackcat. BlackCat disrupted crucial operations across the U.S. health-care system during the cyberattack, including Novant Health Inc. and GoodRX that offers discount prescription coupons.

Change used the notice to provide its version of how the data breach occurred, as well as lay out what data was accessed.

The group said the hacking took place from Feb. 17-20. It became aware March 7 that a "cybercriminal was able to see and take copies of some data in our computer systems."

Typical of recent data breaches, the information accessed included: patient name, address, date of birth, phone number, as well as the potential for health insurance data, patient medical records, billing and payment data, and personal identification, such as Social Security, driver's license and state identification cards.

"The data that may have been seen and taken was not the same for everyone," Change said, "Some of this data may be about the person who paid the bill for healthcare services."

Change is offering up to two years of credit monitoring and identity protection services. Consumers can sign up by calling 866-262-5342 or at changecybersupport.com. The call center will not be able to provide any specifics on individual data impact.

What consumers can do

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said consumers can take steps to reduce their exposure to data breaches.

"While there's no need for consumers to regularly update their passwords, it's crucial to do so when they've been involved in a breach like this one," Plaggemier said.

"They should also change their password on any other account where they've used the same or similar password to the one on their AT&T account, a practice that should be followed during any data breach.

"Enabling multi-factor authentication whenever possible adds an extra layer of security as well."

Plaggemier said regularly monitoring financial statements and credit reports for any suspicious activity "can also help individuals detect and respond to potential breaches promptly."

"Furthermore, freezing their credit with the credit bureaus is a proactive measure to prevent unauthorized access to their credit information and can provide added security in the event of a data breach," she said.