It’s about 11 months after Change Healthcare’s network breach that resulted in the theft of data of approximately 100 million people, and encryption of files using ransomware. On January 14, 2025, Change Healthcare released information that the review of the affected information is “substantially complete.”
Change Healthcare has been steadily issuing notification letters to clients. The first set of notification letters was sent on June 20, 2024, about four months after discovering the data breach. More notification letters were sent in August, September, November, and December 2024.
In the most recent update, Change Healthcare stated it doesn’t foresee that more customers will be identified as having been impacted. Then again, Change Healthcare is still mailing notification letters on behalf of customers who have assigned that task to Change Healthcare. This means some people are not yet informed about the theft of their sensitive data because of the incident. Change Healthcare stated it is still waiting for the go signal from a few affected clients about mailing the notification letters to them.
Change Healthcare reported that it strengthened its guidelines and procedures to further secure and avoid incidents later on. A third-party agency is checking the dark web to spot the exposure of the stolen information. The impacted people were provided free two-year credit monitoring services.
Before encrypting files using ransomware, substantial personal data and protected health information (PHI) was stolen on February 21, 2024. Despite having enough time to misuse the compromised information, Change Healthcare stated it does not have any information about the misuse of data.
Although Change Healthcare is giving updates, people impacted by the Change Healthcare data breach may find it difficult to obtain the notification letter on the internet, since Change Healthcare set it to “NoIndex”. That indicates search engines are directed to disregard the notice, therefore it will not show up in search engine listings. It is not clear why Change Healthcare did that. The breach report filed with the HHS’ Office for Civil Rights still indicates about 100,000,000 impacted people. Change Healthcare has not confirmed the actual number of impacted people.
From 2018 to date, OCR observed that large data breaches increased by 100% while large data breaches due to ransomware attacks increased by 264%. Therefore, OCR recommended updating the HIPAA Security Rule requiring HIPAA-covered entities to employ better safety measures to safeguard patient information, which include compulsory multifactor authentication. The ransomware group responsible for the Change Healthcare attack acquired access to the system via a Citrix portal with disabled multifactor authentication. In the case passed by OCR with the Trump Administration, the revised HIPAA Security Rule will help strengthen primary healthcare security and stop future big data breaches.