Change Healthcare: Patient Data Exposed In Breach Includes Medical Diagnoses, Test Results, Prescriptions

The medical data exposed in the cyberattack earlier this year may have included ‘diagnoses, medicines, test results, images, care and treatment,’ according to Change Healthcare.

Change Healthcare disclosed that it now believes sensitive patient medical data was exposed in the widely felt cyberattack earlier this year, as the UnitedHealth-owned company said it is preparing to notify impacted customers.

Medical data stolen during the attack may have included “diagnoses, medicines, test results, images, care and treatment,” according to a data breach notification posted Thursday by Change Healthcare.

[Related: Analysis: Change Healthcare Attack Shows What Happens When Cybersecurity Is Ignored In M&A]

The company said in the posting that it “has identified certain customers whose members’ or patients’ data was involved in the incident,” and that notifications to impacted customers were set to begin Thursday.

UnitedHealth said in late April that data belonging to a “substantial proportion” of Americans may have been stolen in the attack against prescription processor Change Healthcare, a unit of the insurer’s Optum subsidiary. During testimony at a U.S. House Of Representatives hearing on May 1, UnitedHealth Group CEO Andrew Witty said that “maybe a third” of all Americans were impacted in the attack.

In response to an inquiry from CRN Friday about the number of individuals who are expected to receive notifications, Change Healthcare did not specify a figure.

“Given we are in the late stages of the complex investigation Change continues to confirm the impacted data could cover a substantial proportion of people in America,” the company said in the statement provided to CRN. “This is why Change moved to issue the substitute notification via release yesterday soonest given the scale and complexity of the cyber attack on Change.”

In the notification posted Thursday, Change Healthcare for the first time disclosed the types of patient medical data potentially stolen by cybercriminals in the attack.

“While CHC cannot confirm exactly what data has been affected for each impacted individual, information involved for affected individuals may have included contact information” as well as numerous other types of sensitive data, the company said.

In addition to medical information such as diagnoses, providers, prescriptions, test results and treatments, the data may have included health insurance information; claims, billing and payment data; and “other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers,” Change Healthcare said.

“The information that may have been involved will not be the same for every impacted individual,” the company said in the disclosure, noting that it has still “not yet seen full medical histories appear in the data review.”

The disclosure is connected to HIPAA (the Health Insurance Portability and Accountability Act of 1996) rules, Change Healthcare said.

The notice “contains the information CHC can provide at this time while CHC continues working through data review to identify affected individuals,” the company said in the posting Thursday.

Change Healthcare is planning to “mail written letters at the conclusion of data review to affected individuals for whom CHC has a sufficient address,” the company said. The mailing process “is expected to begin in late July as CHC completes quality assurance procedures,” the company said.

The disclosure indicates a further worsening of the impact from the February ransomware attack and theft of data from Change Healthcare.

First disclosed Feb. 22, the Change Healthcare attack caused massive disruption in the U.S. health care system for weeks. The IT system shutdown initiated in response to the ransomware attack prevented many pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments.

The Russian-speaking cybercriminal group known by the names of Blackcat and Alphv claimed responsibility for the ransomware attack. Witty confirmed in his Congressional testimony in May that UnitedHealth paid a $22 million ransom following the attack.

Subsequently, a different cybercriminal gang, known as RansomHub, posted data it claimed was stolen from Change Healthcare. The claim of stolen data had previously prompted the Department of Health and Human Services to launch an investigation into the incident in connection with HIPAA rules.