Four months after a significant cyberattack forced its systems offline, a UnitedHealth subsidiary, Change Healthcare, has disclosed a major data breach. In a recent notification, Change Healthcare revealed that a “substantial quantity of data” was stolen, impacting a “substantial proportion of people in America.” Earlier this year, UnitedHealth’s CEO Andrew Witty estimated that “maybe a third” of all Americans might have been affected by the breach.
The breach notification highlights the severity of the situation. Change Healthcare stated, “While Change Healthcare cannot confirm exactly what data has been affected for each impacted individual, information involved for affected individuals may have included contact information (such as first and last name, address, date of birth, phone number, and email).” This means that millions of individuals could be at risk of identity theft and other forms of fraud.
The stolen data is not limited to basic contact information. CHANGE HEALTHCARE further explained that the data exfiltrated could include sensitive health insurance information, such as insurance plans, companies, Medicaid-Medicare-government payor ID numbers, and detailed health information like test results, diagnoses, and medical record numbers. Billing and claims information, which may include financial or banking information, balance and payments due, and account numbers, were also compromised. In addition, highly sensitive personal data, such as driver’s licenses and social security numbers, were potentially stolen.
Change Healthcare has acknowledged the complexity and breadth of the breach. “The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review,” Change Healthcare said. This indicates that while some individuals might only have basic contact information exposed, others could have a more comprehensive set of their personal data compromised.
Moreover, Change Healthcare noted that the stolen information might also pertain to guarantors who paid healthcare bills on behalf of patients. “Also, some of this information may have related to guarantors who paid bills for healthcare services. A guarantor is the person who paid the bill for healthcare services,” the notification stated. This means that even individuals who are not direct patients of Change Healthcare but have financial ties to them could be affected.
Since June 20, Change Healthcare has been actively notifying its affected customers about the breach. The company is providing a link to the substitute notice for other customers to inform them of what happened. “The review of personal information potentially involved in this incident is in its late stages,” Change Healthcare said, indicating that they are nearing the end of their investigation into the breach.
In an effort to assist those impacted, Change Healthcare is taking steps to mitigate the damage caused by the breach. “Change Healthcare is providing this notice now to help individuals understand what happened, let them know that their information may have been impacted, and give them information on steps they can take to protect their privacy, including enrolling in two years of complimentary credit monitoring and identity theft protection services if they believe that their information may have been impacted.” This move aims to provide a level of protection for individuals as they navigate the potential fallout from the breach.
The CHANGE HEALTHCARE data breach is a stark reminder of the vulnerabilities in the healthcare sector’s cybersecurity infrastructure. As personal and sensitive data continue to be prime targets for cybercriminals, it underscores the importance for organizations to strengthen their defenses and for individuals to stay vigilant about their personal information. The full extent of the impact remains to be seen, but CHANGE HEALTHCARE’s ongoing efforts to notify and assist affected individuals is a critical step in addressing the breach.
About the Author:
Timothy Powell is a nationally recognized expert on regulatory matters including the False Claims Act, Zone Program Integrity Contractor audits and OIG compliance. He is a member of the RACmonitor editorial board.
Contact the Author:
tpowell@tpowellcpa.com
The role of physician advisors has evolved into an absolute necessity in hospitals of all sizes around the country. As the healthcare landscape rapidly evolves,
I’ve spent much of my time over the last few months interviewing current and former employees of clients, as part of either internal or external
Please log in to your account to comment on this article.
Only ICD10monitor delivers what you need: updates on must-know changes associated with the FY26 IPPS, including new ICD-10-CM/PCS codes, CCs/MCCs, and MS-DRGs, plus insights, analysis and answers to your questions from two of the country’s most respected subject matter experts.
This third session in our 2026 IPPS Masterclass will feature a review of FY26 changes to the MS-DRG methodology and new technology add-on payments (NTAPs), presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.
This second session in our 2026 IPPS Masterclass will feature a review the FY26 changes to ICD-10-PCS codes. This information will be presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.
This first session in our 2026 IPPS Masterclass will feature an in-depth explanation of FY26 changes to ICD-10-CM codes and guidelines, CCs/MCCs, and revisions to the MCE, presented by presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.
RACmonitor is proud to welcome back Dr. Ronald Hirsch, one of his most requested webcasts. In this highly anticipated session, Dr. Hirsch will break down the complex Two Midnight Rule Medicare regulations, translating them into clear, actionable guidance. He’ll walk you through the basics of the rule, offer expert interpretation, and apply the rule to real-world clinical scenarios—so you leave with greater clarity, confidence, and the tools to ensure compliance.
Bring your questions and join the conversation during this open forum series, live every Wednesday at 10 a.m. EST from June 11–July 30. Hosted by Chuck Buck, these fast-paced 30-minute sessions connect you directly with top healthcare experts tackling today’s most urgent compliance and policy issues.
Fraud convictions don’t just punish a few bad claims; they can wipe out years of reimbursements. Don’t wait for an audit to learn the rules. Join Frank Cohen, MPA, for a live Q&A on spotting red flags, avoiding liability, and protecting your practice. Register now and bring your questions!
Substance abuse is everywhere. It’s a complicated diagnosis with wide-ranging implications well beyond acute care. The face of addiction continues to change so it’s important to remember not just the addict but the spectrum of extended victims and the other social determinants and legal ramifications. Join John K. Hall, MD, JD, MBA, FCLM, FRCPC, for a critical Q&A on navigating substance abuse in 2025. Register today and be a part of the conversation!
Copyright © 2025 ICD10monitor. Powered by MedLearn Media.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
