Change Healthcare Breach: Know Your Rights

In February 2024, a patient in Ohio opened her mailbox to find a letter from Change Healthcare. The company—a subsidiary of UnitedHealth Group that processes one in every three U.S. patient records—was writing to inform her that hackers had accessed her medical history, Social Security number, insurance details, and billing records. She wasn't alone. Over the following weeks, the notification letters kept coming, and the scope of what would become the largest medical data breach in American history came into focus.

By the time the full extent was disclosed, more than 100 million Americans—nearly one-third of the U.S. population—had their most sensitive health information exposed. This wasn't a theoretical privacy violation. The Change Healthcare breach represents a watershed moment for medical data security, and if you've received care from almost any major health system in the past decade, your records were likely caught in the crossfire.

The Change Healthcare Breach: What Happened

On February 21, 2024, Change Healthcare detected unauthorized access to its systems. The company immediately took systems offline, causing widespread disruption across pharmacies, hospitals, and medical billing operations nationwide. Prescriptions went unfilled. Insurance claims stalled. The operational chaos masked a far more serious problem: the ALPHV/BlackCat ransomware group had already exfiltrated terabytes of patient data.

Change Healthcare processes approximately 15 billion healthcare transactions annually, serving as the digital backbone for insurance verification, prescription routing, and claims processing. The attackers gained initial access through compromised credentials on a Citrix remote access portal that lacked multi-factor authentication—a basic security control that could have prevented the entire incident.

UnitedHealth Group, Change Healthcare's parent company, paid a $22 million ransom in Bitcoin. The payment didn't prevent the data from being sold. In March 2024, a different ransomware affiliate claimed possession of the stolen database and began negotiations to sell it to the highest bidder. By June, samples of the data appeared on dark web marketplaces, confirming that patient records were actively circulating among criminals.

The breach notification process stretched across months as Change Healthcare worked to identify affected individuals. The final count exceeded 100 million records—surpassing the previous record holder, the 2015 Anthem breach, by a significant margin. This makes the Change Healthcare incident the largest medical data breach in U.S. history and one of the ten largest data breaches ever recorded in any sector.

What Data Was Exposed and Why It Matters

The exposed information falls into categories that collectively provide everything needed for comprehensive identity theft and medical fraud:

Personal identifiers: Full names, dates of birth, Social Security numbers, driver's license numbers, passport numbers, and addresses. These form the foundation of identity theft, enabling criminals to open credit accounts, file fraudulent tax returns, and apply for government benefits.

Medical information: Diagnoses, medications, test results, treatment histories, and clinical notes. This data reveals pre-existing conditions, mental health treatment, substance abuse history, and other sensitive details that individuals have a legal right to keep private under HIPAA.

Financial and insurance data: Health insurance policy numbers, Medicare and Medicaid identification numbers, billing codes, payment information, and claims history. Criminals use this information to file fraudulent insurance claims for services never rendered—a form of fraud that can take years to detect and resolve.

Authentication credentials: Some records included email addresses and passwords used for patient portals, creating immediate risk of account takeover across other services where individuals reused those credentials.

Medical data carries unique risks that standard financial data breaches don't present. A stolen credit card number can be cancelled. A Social Security number can't be changed without extraordinary circumstances. Your medical history is permanent. Once exposed, it remains a vulnerability for life.

Criminals exploit medical data in several ways. Medical identity theft allows fraudsters to obtain prescription medications, particularly controlled substances, using your insurance information. The fraudulent claims appear on your insurance record, potentially affecting your coverage and future premiums. More seriously, incorrect information added to your medical records during fraudulent treatment can lead to dangerous medical errors when you receive legitimate care.

The data also enables sophisticated social engineering attacks. Scammers armed with your diagnosis and medication history can craft convincing phishing emails pretending to be your pharmacy, insurance company, or healthcare provider. They know enough about your actual medical situation to make their requests seem legitimate.

How to Check If Your Data Was Included

Change Healthcare established a dedicated notification website at changehealthcareresponse.com where affected individuals can verify their status. You'll need to provide your name and contact information to check whether you're among the confirmed victims.

However, the notification process has been incomplete. Many individuals whose data was exposed haven't received direct notification because Change Healthcare doesn't have current contact information or because their records were processed through intermediaries. If you've received healthcare services from any provider that accepts insurance, you should assume potential exposure.

Several indicators suggest you may be affected even without direct notification:

You received care from a provider that uses UnitedHealthcare, Optum, or any major insurance network between 2010 and 2024. Change Healthcare processed claims for virtually all major insurers, meaning the breach's reach extends far beyond UnitedHealth's own insurance customers.

You filled prescriptions at major pharmacy chains during this period. Change Healthcare's pharmacy routing systems handled prescription verification and billing for most national pharmacy networks.

You received services requiring insurance pre-authorization or claims processing. The company's systems touched nearly every aspect of medical billing and payment processing.

The scope makes individual verification challenging. Rather than waiting for confirmation, treat this breach as if you're affected and take protective action. Our free exposure check can help you identify whether your information has already appeared on data broker sites—a strong indicator that breach data has entered commercial circulation.

Immediate Steps to Take Right Now

The window for preventing harm closes quickly after a breach. Data moves through criminal networks within days, and the first fraudulent accounts often appear within weeks. These actions should be completed within the next 72 hours:

Step 1: Place a Credit Freeze With All Three Bureaus

A credit freeze prevents new accounts from being opened in your name. Unlike credit monitoring, which only alerts you after fraud occurs, a freeze blocks the fraud before it happens. Contact all three major credit bureaus directly:

• Equifax: equifax.com/personal/credit-report-services/credit-freeze/ or 800-349-9960
• Experian: experian.com/freeze/center.html or 888-397-3742
• TransUnion: transunion.com/credit-freeze or 888-909-8872

The freeze is free, immediate, and doesn't affect your credit score. You'll receive a PIN that allows you to temporarily lift the freeze when you need to apply for legitimate credit. Don't skip this step because you think you're not applying for credit soon—criminals don't wait for your convenience.

Step 2: Request Your Medical Information Bureau File

The Medical Information Bureau (MIB) maintains records used by insurance companies to detect fraud and assess risk. Request your MIB file at mib.com to review what information insurance companies see about you. This helps identify fraudulent insurance applications or claims filed in your name. You're entitled to one free report annually.

Step 3: Review Your Explanation of Benefits Statements

Log into your health insurance portal and review every Explanation of Benefits (EOB) statement from the past six months. Look for services you didn't receive, providers you've never visited, or medications you don't take. Medical identity theft often goes undetected for months because people assume their insurance company will catch fraudulent claims.

Step 4: Change Passwords and Enable MFA

Update passwords for your health insurance portal, patient portals at medical providers, pharmacy accounts, and any financial services connected to your healthcare. Use unique passwords for each account—a password manager makes this manageable. Enable multi-factor authentication wherever offered. The irony that Change Healthcare's failure to implement MFA enabled this breach shouldn't be lost on anyone.

Step 5: File an Identity Theft Report

Visit IdentityTheft.gov to file a report with the Federal Trade Commission. This creates an official record that provides legal protections if you need to dispute fraudulent accounts or clear your name from criminal activity. The report also extends fraud alert periods and provides additional rights under the Fair Credit Reporting Act.

Step 6: Consider Freezing Your Medical Records

Several states now allow medical record freezes similar to credit freezes. Contact the Medical Information Bureau and your health insurance company to request restrictions on who can access your medical records. This won't prevent legitimate treatment but adds verification requirements for insurance companies and pharmacies.

How Breached Data Ends Up on Data Broker Sites

Here's what most breach notifications don't tell you: the stolen data doesn't stay in criminal hands. Within weeks of a major breach, the information begins migrating into the commercial data ecosystem through a process that makes the data remarkably difficult to eliminate.

Data brokers purchase information from numerous sources, including bankruptcy filings, property records, voter registrations, and less savory channels. Stolen breach data gets laundered through a series of transactions that obscure its criminal origin. A hacker sells the database to a data aggregator. That aggregator combines it with information from other sources and sells the enriched dataset to data brokers. The brokers claim they only use "publicly available" information, technically true after the data has been posted on certain forums or sold through particular marketplaces.

Based on our analysis of removal requests following major breaches, we see victim information appearing on data broker sites within 30-90 days after the breach disclosure. The information doesn't appear labeled as "stolen from Change Healthcare." It simply shows up as another data point—your name, address, and phone number on Spokeo, your age and relatives on Whitepages, your address history on BeenVerified.

The medical information typically doesn't appear directly on consumer-facing people search sites due to HIPAA restrictions. But the personal identifiers do, and those identifiers allow anyone to connect your identity to other data sources. Someone who knows your full name, date of birth, and address can often find additional information through public records requests, social media correlation, or purchasing specialized datasets marketed to private investigators and skip tracers.

The commercial availability of your information creates ongoing risk. Scammers scrape data broker sites to build target lists for phishing campaigns. The information enables them to personalize their approach, referencing your actual location, family members, or other details that make their messages seem legitimate. After a medical breach, expect phishing attempts claiming to be from your insurance company, pharmacy, or healthcare provider. The scammers know you're worried about the breach and will exploit that anxiety.

Data brokers also sell information to lead generation companies that target specific demographics—including people with particular medical conditions or insurance types. While they can't legally advertise that they're selling lists of diabetes patients or cancer survivors, they can sell lists of people who match demographic profiles strongly correlated with those conditions. The distinction is semantic, and the privacy violation is identical.

Long-Term Protection: Why Ongoing Monitoring Matters

The Change Healthcare breach creates permanent risk. Unlike a credit card breach where you get a new card number and move on, your medical history and Social Security number remain vulnerable indefinitely. Medical identity theft often takes 18-24 months to detect, and fraudulent accounts can remain on your credit report for years if not actively disputed.

Credit monitoring services detect some problems but miss others. They'll alert you when someone opens a new credit card in your name but won't catch someone using your insurance to fill prescriptions or file medical claims. They don't monitor the dozens of data broker sites where your information appears and reappears even after removal.

Data broker removal isn't a one-time task. Our operational data shows that 37% of successfully removed profiles reappear on the same site within six months. Brokers continuously refresh their databases with new data purchases, and the information cycle repeats. A single removal request to one broker doesn't prevent that broker from acquiring your information again from a different source or prevent 50 other brokers from selling the same data.

The scale of the data broker industry makes manual removal impractical. GhostMyData monitors 1,500+ data broker sites—far more than the 35-500 covered by competing services. Many of the most problematic brokers are smaller operations that don't appear on the lists that consumer privacy tools typically address. These smaller brokers often have the least secure systems and the most questionable data sourcing practices, making them particularly likely to traffic in breach-related information.

After a breach of this magnitude, ongoing monitoring becomes essential infrastructure for protecting your identity. With a limited-time spring privacy sale offering 25% off the first year, starting comprehensive data removal is more accessible now than waiting until fraud occurs. Monitoring needs to cover both credit activity and data broker exposure because criminals exploit both channels, often simultaneously.

How GhostMyData Automates Removal and Monitors for Re-Exposure

Manual data removal requires visiting hundreds of websites, navigating deliberately confusing opt-out processes, providing documentation, and following up when brokers ignore requests. The Fair Credit Reporting Act requires consumer reporting agencies to remove inaccurate information, but most data brokers claim they're not consumer reporting agencies. State privacy laws like the California Consumer Privacy Act (CCPA) provide removal rights, but only for residents of specific states, and enforcement is inconsistent.

GhostMyData automates this process across 1,500+ data broker sites, handling the initial removal requests and the ongoing monitoring needed to catch re-exposure. The system adapts to each broker's specific requirements, whether that's filling out web forms, sending certified mail, or following up through customer service channels.

The automation matters because consistency matters. A single missed broker or a delayed follow-up can leave your information exposed to the exact audience most likely to exploit it. After a breach like Change Healthcare, criminals actively search data broker sites for victim information, knowing that most people won't complete the tedious removal process across hundreds of sites.

The monitoring component addresses the re-exposure problem. When your information reappears—and it will—GhostMyData automatically submits new removal requests without requiring you to check sites manually or remember to follow up. This continuous cycle of removal and monitoring provides the ongoing protection that a medical data breach demands.

For Change Healthcare breach victims, the calculus is straightforward. Your medical information is already compromised. You can't prevent criminals from possessing that data. What you can control is how easily they can connect that medical data to your current contact information, location, and family details through data broker sites. Removing that connecting tissue makes the medical data less actionable for fraud.

The breach exposed 100 million Americans to permanent identity theft risk. The question isn't whether to take protective action—it's whether you'll do it comprehensively enough to matter. Half-measures don't work when your Social Security number and medical history are circulating on criminal marketplaces. Start with our free exposure check to see where your information currently appears, then decide whether the scale of the problem requires automated removal across the full data broker ecosystem. The breach already happened. The choice about what happens next is yours.