PID continues to monitor the impacts of Change Healthcare’s cyber-attack on insurers and consumers
Harrisburg, PA – The Pennsylvania Insurance Department is reminding Pennsylvanians to exercise caution and urging consumers take action to protect their personal information from identity theft, especially consumers who may be affected by the February cyber-attack on Change Healthcare, a subsidiary of UnitedHealth Group.
“One of PID’s priorities is consumer protection, and we want to make sure Pennsylvanians are aware of resources and steps to best protect themselves, especially when they are victims to unfortunate events like a cyber-attack and data breach that are out of their control,” said Pennsylvania Insurance Commissioner Michael Humphreys. “Taking steps to protect your personal and financial information is always a smart decision whether you’ve been affected by a data breach or you just proactively want to safeguard your accounts if a data breach occurs. As we continue to learn more about the breach, we are glad to help assist any Pennsylvanians that have questions about how best to protect their data or to effectively respond in the unfortunate circumstance that their personal information has been breached.”
Consumers can visit UnitedHealth Group’s dedicated website to obtain information and details on resources available to them if they are impacted by the data breach. A dedicated call center is also available to offer free credit monitoring and identity theft protections for two years to anyone impacted. The call center includes trained clinicians to provide support services, however the call center does not provide any specifics on individual data impact at this time. The call center can be reached at 1-866-262-5342 and further details can be found on their website.
Pennsylvanians who are impacted by a data breach should also follow these steps to best protect their information and reduce the risk of identity theft.
- Check your affected accounts. Review the accounts compromised in the security breach and identify any suspicious activity. If your credit or debit card number is involved in the breach, you should request a new card with a different number and change your associated passwords.
- Monitor your financial accounts and credit reports. Identity thieves might not use your compromised information right away. Continue to monitor your credit report for signs of suspicious activity.
- Sign up for free credit monitoring. Some businesses or government agencies offer free credit monitoring services. Remember, never provide private information without verifying that the service is legitimate.
- Request a fraud alert from one of the credit bureaus. A fraud alert notifies banks and other creditors to take extra steps to verify your identity before issuing credit in your name. A fraud alert is free and will last 90 days. You can request a fraud alert with one of the three nationwide credit bureaus: Equifax, Experian, or TransUnion.
- Avoid using the same password across various accounts. If your username and password are compromised in a breach, using the same password on other accounts could help a criminal gain more access to other personal information.
- Consider a security freeze. A credit freeze or security freeze blocks an identity thief from opening new accounts or accessing credit in your name.
In March, PID called on health insurance companies to provide flexibility in administering healthcare benefits in response to a February cyber-attack on Change Healthcare and to update their websites to provide helpful information to their provider partners regarding reimbursement processes. UnitedHealth Group, of which Change Healthcare is a subsidiary, has over 150 million customers. Millions of Americans are potentially impacted by this cyber breach.
PID also encourages Pennsylvanians experiencing healthcare service delays, pharmacy challenges, eligibility or payment issues, or consumers with general questions, to contact PID’s Bureau of Consumer Services at 1-877-881-6388 or online. Pennsylvanians should also submit a complaint with Office of the Attorney General.
PID continues to monitor the impacts of the cyber-attack and communicates with insurers to encourage responsiveness and continued dialogue among affected parties.
Act 2 of 2023, effective December 11, 2023, requires insurance licensees to take specific actions to safeguard consumers’ information. The Act defines the requirements applicable to a licensee and establishes standards for data security, cybersecurity investigations, and notification to the Commissioner of cybersecurity events.