Four months after a significant cyberattack forced its systems offline, a UnitedHealth subsidiary, Change Healthcare, has disclosed a major data breach. In a recent notification, Change Healthcare revealed that a “substantial quantity of data” was stolen, impacting a “substantial proportion of people in America.” Earlier this year, UnitedHealth’s CEO Andrew Witty estimated that “maybe a third” of all Americans might have been affected by the breach.
The breach notification highlights the severity of the situation. Change Healthcare stated, “While Change Healthcare cannot confirm exactly what data has been affected for each impacted individual, information involved for affected individuals may have included contact information (such as first and last name, address, date of birth, phone number, and email).” This means that millions of individuals could be at risk of identity theft and other forms of fraud.
The stolen data is not limited to basic contact information. CHANGE HEALTHCARE further explained that the data exfiltrated could include sensitive health insurance information, such as insurance plans, companies, Medicaid-Medicare-government payor ID numbers, and detailed health information like test results, diagnoses, and medical record numbers. Billing and claims information, which may include financial or banking information, balance and payments due, and account numbers, were also compromised. In addition, highly sensitive personal data, such as driver’s licenses and social security numbers, were potentially stolen.
Change Healthcare has acknowledged the complexity and breadth of the breach. “The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review,” Change Healthcare said. This indicates that while some individuals might only have basic contact information exposed, others could have a more comprehensive set of their personal data compromised.
Moreover, Change Healthcare noted that the stolen information might also pertain to guarantors who paid healthcare bills on behalf of patients. “Also, some of this information may have related to guarantors who paid bills for healthcare services. A guarantor is the person who paid the bill for healthcare services,” the notification stated. This means that even individuals who are not direct patients of Change Healthcare but have financial ties to them could be affected.
Since June 20, Change Healthcare has been actively notifying its affected customers about the breach. The company is providing a link to the substitute notice for other customers to inform them of what happened. “The review of personal information potentially involved in this incident is in its late stages,” Change Healthcare said, indicating that they are nearing the end of their investigation into the breach.
In an effort to assist those impacted, Change Healthcare is taking steps to mitigate the damage caused by the breach. “Change Healthcare is providing this notice now to help individuals understand what happened, let them know that their information may have been impacted, and give them information on steps they can take to protect their privacy, including enrolling in two years of complimentary credit monitoring and identity theft protection services if they believe that their information may have been impacted.” This move aims to provide a level of protection for individuals as they navigate the potential fallout from the breach.
The CHANGE HEALTHCARE data breach is a stark reminder of the vulnerabilities in the healthcare sector’s cybersecurity infrastructure. As personal and sensitive data continue to be prime targets for cybercriminals, it underscores the importance for organizations to strengthen their defenses and for individuals to stay vigilant about their personal information. The full extent of the impact remains to be seen, but CHANGE HEALTHCARE’s ongoing efforts to notify and assist affected individuals is a critical step in addressing the breach.
About the Author:
Timothy Powell is a nationally recognized expert on regulatory matters including the False Claims Act, Zone Program Integrity Contractor audits and OIG compliance. He is a member of the RACmonitor editorial board.
Contact the Author:
tpowell@tpowellcpa.com
EDITOR’S NOTE: Ritesh Ramesh, CEO for MDaudit, appeared on Monitor Monday to report his company’s findings on nationwide audit trends. The rate of payer audits
The Medicare audit landscape has undergone a fundamental transformation, evolving from ad hoc enforcement practices to scientifically rigorous methodological frameworks. This evolution spans two critical
Please log in to your account to comment on this article.
Accurately determining the principal diagnosis is critical for compliant billing, appropriate reimbursement, and valid quality reporting — yet it remains one of the most subjective and error-prone areas in inpatient coding. In this expert-led session, Cheryl Ericson, RN, MS, CCDS, CDIP, demystifies the complexities of principal diagnosis assignment, bridging the gap between coding rules and clinical reality. Learn how to strengthen your organization’s coding accuracy, reduce denials, and ensure your documentation supports true medical necessity.
Denials continue to delay reimbursement, increase administrative burden, and threaten financial stability across healthcare organizations. This essential webcast tackles the root causes—rising payer scrutiny, fragmented workflows, inconsistent documentation, and underused analytics—and offers proven, data-driven strategies to prevent and overturn denials. Attendees will gain practical tools to strengthen documentation and coding accuracy, engage clinicians effectively, and leverage predictive analytics and AI to identify risks before they impact revenue. Through real-world case examples and actionable guidance, this session empowers coding, CDI, and revenue cycle professionals to shift from reactive appeals to proactive denial prevention and revenue protection.
Sepsis remains one of the most frequently denied and contested diagnoses, creating costly revenue loss and compliance risks. In this webcast, Angela Comfort, DBA, MBA, RHIA, CDIP, CCS, CCS-P, provides practical, real-world strategies to align documentation with coding guidelines, reconcile Sepsis-2 and Sepsis-3 definitions, and apply compliant queries. You’ll learn how to identify and address documentation gaps, strengthen provider engagement, and defend diagnoses against payer scrutiny—equipping you to protect reimbursement, improve SOI/ROM capture, and reduce audit vulnerability in this high-risk area.
Only ICD10monitor delivers what you need: updates on must-know changes associated with the FY26 IPPS, including new ICD-10-CM/PCS codes, CCs/MCCs, and MS-DRGs, plus insights, analysis and answers to your questions from two of the country’s most respected subject matter experts.
Get clear, practical answers to Medicare’s most confusing regulations. Join Dr. Ronald Hirsch as he breaks down real-world compliance challenges and shares guidance your team can apply right away.
Federal auditors are zeroing in on Inpatient Rehabilitation Facility (IRF) and hospital rehab unit services, with OIG and CERT audits leading to millions in penalties—often due to documentation and administrative errors, not quality of care. Join compliance expert Michael Calahan, PA, MBA, to learn the five clinical “pillars” of IRF-PPS admissions, key documentation requirements, and real-life case lessons to help protect your revenue.
During this essential RACmonitor webcast Michael Calahan, PA, MBA Certified Compliance Officer, will clarify the rules, dispel common misconceptions, and equip you with practical strategies to code, document, and bill high-risk split/shared, incident-to & critical care E/M services with confidence. Don’t let audit risks or revenue losses catch your organization off guard — learn exactly what federal auditors are looking for and how to ensure your documentation and reporting stand up to scrutiny.
Learn how to navigate the proposed elimination of the Inpatient-Only list. Gain strategies to assess admission status, avoid denials, protect compliance, and address impacts across Medicare and non-Medicare payors. Essential insights for hospitals.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 1 with code CYBER25
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
