Attorney General Bonta Shares Resources for Consumers Following the Change Healthcare Cyberattack

Change Healthcare is offering free credit monitoring and identity theft protections for two years to those impacted by the breach 

OAKLAND — California Attorney General Rob Bonta today issued a consumer alert sharing consumer protection resources and raising awareness about the availability of free credit monitoring and identity theft protection services following Change Healthcare’s February data breach. In April, Attorney General Bonta joined 22 attorneys general in sending a letter to UnitedHealth Group, Inc. — the nation’s largest healthcare company and the parent company of Change Healthcare — urging the corporation to take more meaningful action to better protect providers, pharmacies, and patients harmed by the recent breach.

“The cyberattack against Change Healthcare put the personal information of far too many consumers at risk,” said Attorney General Bonta. “Alongside attorneys general across the country, I urge California consumers to take advantage of the resources available to protect them from identity theft and more, including by enrolling in the two years of free credit monitoring and identity theft protections. My office is committed to protecting the rights of patients and consumers, including those affected by data breaches.”

Change Healthcare, a unit of UnitedHealth, is the nation’s biggest electronic data clearinghouse. Change Healthcare's technological infrastructure is used by tens of thousands of providers, pharmacies, and insurers to verify insurance, confirm pre-authorization of procedures or services, exchange insurance claim data, and perform other administrative tasks essential to the delivery of health care.

The February cyberattack against Change Healthcare interrupted operations for thousands of doctors’ offices, hospitals, and pharmacies. It also resulted in many Americans’ sensitive health and personal data being leaked onto the dark web — a hidden portion of the Internet where cyber criminals buy, sell, and track personal information. The actual number and identity of affected patients are currently unknown.

UnitedHealth has publicly stated that the data breach could impact up to a third of all Americans. Typically, when there is a data breach impacting California residents, consumers receive an individualized letter or email if their data was impacted. However, Change Healthcare has not yet provided individual notice to consumers. Given the significant impact of the breach, and since Change Healthcare has not yet provided notice to individuals who were affected, the safest course of action is for everyone to take advantage of the free resources that are available. Change Healthcare is offering free credit monitoring and identity theft protections for two years from  a company called IDX . These free resources are available to all California residents who believe they may have been impacted by the cyberattack. They also set up a dedicated website and call center to assist consumers. The website and call center will not be able to provide individuals details about whether their data was impacted, but can guide them through setting up free credit monitoring and identity theft protections.

• To enroll in credit monitoring and identity theft protections through IDX use the link at changecybersupport.com or call 1-888-846-4705.

• For additional support from Change Healthcare call 1-866-262-5342.

Consumers should be aware of potential warning signs that someone is using their medical information. The signs include:

• A bill from their doctor for services they did not receive;
• Errors in their Explanation of Benefits statement, like services they never received or prescription medications they do not take;
• A call from a debt collector about a medical debt they do not owe;
• Medical debt collection notices on their credit report that they do not recognize;
• A notice from their health insurance company indicating they have reached their benefit limit; or
• A denial of insurance coverage because their medical records show a pre-existing condition they do not have.

If consumers are concerned that their data may have been impacted but prefer not to use the free resources provided by Change Healthcare, they can also consider:

A credit freeze prevents creditors—such as banks or lenders—from accessing individual’s credit reports. This will stop identity thieves from taking out new loans or credit cards in consumer’s names because creditors will not approve their loans or credit requests if they cannot first access their credit reports. By law, a credit bureau must allow you to place, temporarily lift, or remove a credit freeze for free.  

When consumers freeze their credit with each bureau, the bureaus will send them a personal identification number. The consumers can then use that PIN to unfreeze their credit if they want to apply for a loan or credit card. Consumers can also use the PIN to freeze their credit again after they have applied for loans or a new credit card.

Individuals will have to freeze their credit with each bureau: Experian, Equifax and TransUnion.

Attorney General Bonta joined a bipartisan group of attorneys general from across the country in sharing these consumer protection resources.