NH Affected By Health Data Cyberattack Involving Much Of U.S.

NEW HAMPSHIRE — 'A substantial portion of Americans,' including New Hampshire residents, are likely affected by a health information data breach after a cybercriminal gained access to the Change Healthcare computer system, according to the company.

"Change Healthcare provides services to health care providers, health insurance plans and other companies, from which individuals may have received health services or health insurance," the company explained. "Because Change Healthcare works as a vendor to health care providers or health insurance plans, personal information, including health information, has been impacted in this incident."

The attack was confirmed on Feb. 21, after which Change Healthcare was able to confirm that "a substantial quantity of data" that could cover "a substantial proportion of people in America" had been compromised between Feb. 17 and Feb. 20.

The company has identified certain customers whose members' or patients' data was involved and will begin reaching out to those customers on June 20. The data is still under review and additional impacted customers might be identified, Change Healthcare added.

While the company said it cannot confirm exactly what data has been affected for each impacted person, they said that it may have included the following:

• Contact information such as first and last name, address, date of birth, phone number, and email
• Health insurance information such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers
• Health information such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment, billing, claims and payment information such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due
• Personal information like Social Security numbers, driver’s licenses or state ID numbers, and passport numbers

In a joint letter to the company in April, 22 state attorney generals, including New Hampshire Attorney General John M. Formella, wrote to "express our concern with UnitedHealth Group Inc. subsidiary Change Healthcare’s response to the lengthy disconnection and subsequent limited restoration of its platform services as a result of a cyberattack."

"This data breach is deeply concerning," Formella said Tuesday. "Thousands of healthcare providers, pharmacies, and insurers rely on Change Healthcare's services, making the exposure of sensitive health and personal data to cybercriminals a significant threat to public trust and security."

Formella added that the delay in notifying affected individuals is "unacceptable."

"Alongside my counterparts from across the country, I have called upon UnitedHealth Group to take swift and meaningful action to protect those impacted and prevent future breaches," he said.

Change Healthcare said that anyone who believes their information may have been impacted can enroll in two years of complimentary credit monitoring and identity protection services, the cost of which the company will cover for two years.

For more information, see Change Healthcare's announcement.