Massachusetts, New Hampshire warn victims after Change Healthcare cyberattack leaks ‘sensitive health and personal data’

Massachusetts and New Hampshire officials are taking steps to notify and provide resources to victims who were left in the dark after an unprecedented Change Healthcare cyberattack may have left their personal and health information exposed on the dark web last February.

Change Healthcare, owned by the nation’s largest insurer UnitedHealth Group, revealed that a cyberattack in February interrupted thousands of doctor’s offices, hospitals and pharmacies and may impact up to one-third of all Americans following the attack. The unprecedent breach reportedly led to victims’ personal and health information being leaked to the dark web, where it can be bought and used by cybercriminals.

Change Healthcare has yet to provide any letters or emails to consumers impacted, the Massachusetts Attorney General’s Office said Tuesday, going against precedent for this kind of cyberattack.

“Despite the magnitude of this breach, the delay in notifying affected individuals is unacceptable,”  said New Hampshire Attorney General John Formella. “Alongside my counterparts from across the country, I have called upon UnitedHealth Group to take swift and meaningful action to protect those impacted and prevent future breaches.”

Massachusetts and New Hampshire’s AGs, along with other states, are notifying impacted individuals directly and directing victims to resources — including an important offer from Change Healthcare.

All residents who believe they may have been impacted by the breach are eligible for free credit monitoring and identity theft protection for two years through Change Healthcare. Information on the breach and resources, a dedicated call line and links to set up the free credit monitoring and identity theft protection are available on the UnitedHealth Group’s Change Healthcare consumer support webpage.

The company has not fully released how many consumers were effected, and the website and call line are not able to let individuals know if their data was impacted.

Warning signs that someone has stolen your medical information include, the AGs listed: receiving bills from doctors for services you didn’t receive; errors in Explanation of Benefits statement; debt collector calls or debt collection notices about medical debt you do not owe; inaccurate notices from your health insurance company about reaching your benefit limit; being denied insurance because of nonexistent pre-existing conditions.

Formella noted it is “crucial that individuals remain vigilant and monitor any suspicious activity related to their medical or financial information.”

Residents who believe they may have been impacted may also consider freezing their credit, the AGs said.