Attorney General Todd Rokita warns Hoosiers about egregious theft of private patient medical

07/15/2024

Attorney General Todd Rokita warns Hoosiers about egregious theft of private patient medical records

July 15, 2024

Rokita blasts UnitedHealth for failure to protect patient information

In the wake of a massive and under-reported cyberattack, Indiana Attorney General Todd Rokita is warning Hoosiers about the steps they can take to prevent the potential theft of their personal health care information.

For months, the nation’s largest electronic data clearinghouse, ChangeHealthcare/UnitedHealth, failed to inform the likely 110 million affected Americans about the potential theft of their health insurance records, banking information, Social Security numbers, and medical records that are typically kept confidential between doctors and patients. Rokita’s Data Privacy and ID Theft team is urging Indiana residents to be on the lookout for strange changes to their health plan statements and billing information, and to take advantage of Change Healthcare offering free credit monitoring and ID theft protection services. To enroll in credit monitoring through IDX, call 1-888-846-4705.

“The protection of your private medical records and personal health care information is of utmost importance to our office, and you have the right to request a credit freeze and numerous other preventative ID theft services – free of charge – from this irresponsible health care handler,” Attorney General Rokita said.

Change Healthcare processes 15 billion health care transactions each year, and the company reported one-in-three Americans may be affected by this latest BlackCat ransomware attack. The attack itself enabled the shady hacker group to obtain millions and millions of private medical records stored by Change Healthcare.

“Our office will continue to pressure companies like Change Healthcare to hold Hoosiers’ data privacy at the highest standards — and know that we will hold all health care operators accountable for any and all breaches.”

Timeline of Attacks & Change Healthcare’s Failure to Notify Patients

The company has stated that affected individuals may begin receiving notification letters in the mail in late July, but Change Healthcare first became aware of the so-called Blackcat ransomware cyberattacks all the way back on February 21, 2024.

The ransomware attackers themselves have publicly claimed that patient data was being stolen well before the February 21 date – but millions of patients have not been individually notified in any way that their information has likely been stolen by the hacker group.

Companies like UnitedHealth are legally required to report all data breaches involving protected health information (PHI) to the U.S. Department of Health & Human Services. But Rokita’s office reiterates that the depth and scope of the breaches are still unknown – so even if you don’t think you’re affected – it can’t hurt to take pro-active steps to protect yourself.

Consumers should be aware of potential warning signs that someone is using their medical information. The signs include:

A bill from their doctor for services they did not receive;
Errors in their Explanation of Benefits statement like services they never received or prescription medications they do not take;
A call from a debt collector about a medical debt they do not owe;
Medical debt collection notices on their credit report that they do not recognize;
A notice from their health insurance company indicating they have reached their benefit limit; or
They are denied insurance coverage because their medical records show a pre-existing condition they do not have.

If consumers are concerned that their data may have been impacted but prefer not to use the free resources provided by Change Healthcare, they can also consider freezing their credit.

Individuals will have to freeze their credit with each bureau: Experian, Equifax and TransUnion.