The Weekly Breach Breakdown Podcast by ITRC - Doctor Change - S5E35

Show Transcript

Welcome to the Identity Theft Resource Center's (ITRC’s) Weekly Breach Breakdown for November 15, 2024. I'm Alex Achten, Director of Communications & Media Relations of the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. Today, we will provide you with an update on the Change Healthcare data breach.

Do we have any Marvel fans who listen to the podcast? If so, you know the 2016 film “Doctor Strange,” a 2016 American superhero film based on the Marvel Comics character of the same name, neurosurgeon Doctor Stephen Strange. 

I could not help but think of the movie while preparing for this podcast to give you the latest on the Change Healthcare data breach, which has not had a victim count for eight months. While there is no direct correlation between the movie and this breach, the title of this Weekly Breach Breakdown must be “Doctor Change.” Let’s get into all the new information.

We begin by rewinding to February. If you remember, we told you about a ransomware attack and data breach at UnitedHealth Group’s Change Healthcare. Change Healthcare is a health payment processing company that works on billing and insurance for many health systems, including hospitals, medical offices and pharmacies. 

In late February, Change Healthcare said “a substantial quantity of data” was taken from them, including payment details, insurance records and other sensitive personal information. It led to significant disruptions in healthcare, including problems with approvals, reimbursements and payment systems. Kiplinger reported that the disruptions were due to the company shutting down specific access to try to stop the attack. The Change Healthcare data breach led to many questions, most notably, who was impacted.

Change Healthcare notified the Department of Health and Human Services’ Office for Civil Rights (OCR) about the cyberattack using a placeholder estimate of 500 affected individuals, as the investigation was ongoing when the breach report was submitted on July 19. An updated Change Healthcare data breach report has been provided to OCR, confirming that approximately 100 million individual notification letters have been mailed. 

According to The HIPAA Journal, OCR is investigating Change Healthcare to determine whether the company was fully compliant with the HIPAA Rules before the ransomware attack. However, it could take months to years before the outcome of that investigation is known.

The Change Healthcare data breach continues to unfold, and the ITRC will bring you any new details as they arise in our newsletters and 2024 Annual Data Breach Report, which will be released in January 2025. In the meantime, if you get a Change Healthcare data breach notice, follow the advice in the notice, watch for phishing attempts that claim to be from Change Healthcare, freeze your credit, use long and unique passphrases or passkeys, and implement multifactor authentication, when possible.

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. If you missed it last week, check out the latest episode of our sister podcast, the Fraudian Slip, where ITRC CEO Eva Velasquez and COO James E. Lee discuss the findings in our 2024 Consumer & Business Impact Report. The report’s findings highlight significant changes in cyber habits from consumers and small businesses and how identity misuse, data breaches and cyberattacks impact them. You can download the report by visiting www.idtheftcenter.org/publications. 

We will return next week with another episode of the Weekly Breach Breakdown. I'm Alex Achten. Until then, thanks for listening.