Change Healthcare, a large US healthcare technology company, suffered a massive data breach in early 2024 that exposed sensitive personal and medical information.
In the months since, scam artists have been using this data breach as an opportunity to trick people. One such scam involves sending fake “data breach letters” pretending to be from Change Healthcare.
In this article, I’ll provide an in-depth look at this “Change Healthcare data breach letter scam” to help you identify and avoid it. Without further ado, let’s dive right in.
Table of Contents
Background of the Change Healthcare Data Breach Letter Scam
In February 2024, Change Healthcare – one of the largest healthcare IT companies in the United States – suffered a devastating ransomware attack that compromised the personal and medical information of millions of Americans.
Change Healthcare is a major player in the healthcare claims processing industry. They handle around 1 in 3 medical claims in the country. So when they were hacked, it meant that nearly every doctor’s office, hospital, and insurer was potentially impacted.
In testimony to Congress, UnitedHealth Group CEO Andrew Witty (Change Healthcare’s parent company) estimated that the data of around 110 million Americans was stolen in the breach – that’s over a third of the entire US population.
The type of information accessed included names, dates of birth, addresses, Social Security numbers, health insurance information, medical claims, test results, and more. Basically, a one-stop shop for identity thieves.
In the months following the attack, Change Healthcare worked to determine the full scope of the breach and how many individuals were impacted. By April, they confirmed it was a “substantial proportion of people in America.”
Beginning in June, Change Healthcare mailed official data breach notification letters to those whose contact information they had on file.
The letters also offered two free years of credit monitoring and identity protection services to help people monitor for fraud/theft.
Is Change Healthcare Data Breach Notification Letters Legit?
The short answer is…it’s complicated. But here are a few things we know:
Change Healthcare has indeed begun the process of notifying individuals whose information was compromised in the breach through direct mail letters. This is required by data breach notification laws.
The letters offer 2 years of free credit monitoring and identity protection services through a company called IDX Privacy. IDX is a legitimate identity protection firm often used by organizations handling data breaches.
However, some red flags have been raised about the letters’ format, wording, and return addresses not matching Change Healthcare’s actual location. This has caused understandable suspicion.
Scammers sometimes take advantage of situations like this by sending fake notification letters to steal more personal info under the guise of “helping” with the breach.
It can be difficult to tell a real letter from a fake one, especially when you’ve never heard of the company (Change Healthcare) before.
So in summary – the data breach itself and notifications are real, but discerning legitimate letters from scam ones requires extra diligence.
How the Change Healthcare Data Breach Letter Scam Works
Armed with personal data stolen in the real breach, scammers have begun sending fake “data breach letters” to try and trick recipients. Their goal is to either steal more of your sensitive information or trick you into giving them money.
Here’s how the scam typically works:
You’ll receive a letter or email claiming to be from “Change Healthcare Security Department” about the recent data breach. The letter looks very similar to the legitimate notification, with Change Healthcare logos and official sounding language.
However, there are usually small inaccuracies in dates, wording or company information if you examine it closely. The scam letter will insist you need to “verify your identity” by clicking a link or calling a number provided.
Thislinkoften leads to a fake “identity verification” website where they try to phish more of your personal details. Or they may ask you to provide credit card info to “enroll in free credit monitoring”. Of course, no monitoring ever occurs.
The goal is harvesting more data they can use or sell, or directly billing your card without providing any actual services.
Be very wary of any unsolicited communications (letters, emails, texts, calls) regarding a Change Healthcare data breach that ask you to click links, provide additional info or pay any money upfront. Only scammers would ask for that.
Tips For Verifying If A Change Healthcare Data Breach Letter Is Real
Here are some tips for determining if a Change Healthcare data breach notification letter you received is legitimate:
✅ Search online for “Change Healthcare data breach 2024” – you’ll find many reputable news articles confirming this major incident did occur.
✅ Go to the official Change Healthcare breach response website at www.changehealthcare.com/databreach – they have direct contact info and ways to verify letters there.
✅ Check that the return address on the letter matches the company’s real physical address in Tennessee (not a P.O. box).
✅ Inspect the letter design/format – real breach notices aim for a clean, professional look versus something flashy/unusual looking.
✅ Verify the credit monitoring company name against lists of companies commonly used after breaches like IDX, Experian, Equifax, etc.
✅ Consider contacting Change Healthcare directly through their breach website instead of numbers/addresses on unverified letters.
✅ Search online for the letter recipient’s name + “Change Healthcare breach” to see if any discussions from reputable sources confirm receipt.
✅ Be extra careful providing additional personal details over the phone in response to unconfirmed letters/calls.
✅ Only enroll in credit monitoring services through verified, official sources like the Change Healthcare breach website.
Taking the time to verify through independent research online can help reduce the risk of inadvertently sharing more private info with potential scammers masquerading as breach notifications. If unsure, it’s better to contact the company directly.
What To Do If Your Data Was Compromised
If after verifying a Change Healthcare breach notification letter you confirm your information was indeed compromised, here are some recommended next steps:
✅ Enroll in the free IDX or other credit monitoring service offered to stay on top of identity theft risks.
✅ Consider placing a credit freeze with the three major credit bureaus to prevent potential new accounts from being opened in your name.
✅ Remain vigilant by routinely checking credit reports & bank/card statements for suspicious activity for at least 12-24 months.
✅ File your taxes early to avoid a scammer filing falsely in your name.
✅ Consider a credit or fraud alert with Equifax, Experian, TransUnion if identity theft is suspected.
✅ Change passwords and security questions for any accounts using exposed personal details from the breach if recycled.
✅ Monitor health insurance explanations of benefits (EOBs) for unauthorized medical claims being filed.
Being proactive can help safeguard your identity after a significant data breach like this one. Keep close tabs in the coming years and watch for signs of misuse.
What to Do if You Suspect a Fake Change Healthcare Data Breach Letter
If you receive a letter or email regarding the Change Healthcare breach that raises red flags, there are important steps to take:
- Do not click any links, open attachments or provide sensitive details requested.
- Do not call phone numbers provided or proceed with actions prompted.
- Visit the official Change Healthcare website (changehealthcare.com) to review their actual breach notification page.
- Compare details in the suspicious letter to what Change Healthcare themselves publicly report.
- If valid inconsistencies are found, you likely have a phishing scam on your hands.
- Consider reporting the scam attempt to authorities like the FTC so others can be warned.
- Monitor banking and identity theft protection services for any suspicious activity just to be safe.
- Change any passwords for accounts if login details were revealed to scammers just in case.
- Spread awareness to friends/family so they too recognize this Change Healthcare data breach letter scam.
Conclusion
In conclusion, while the massive Change Healthcare data breach and notifications themselves are real, determining if a received letter is legitimate does require extra due diligence and skepticism.
Hopefully these tips provide useful guidance for consumers receiving breach letters to evaluate their authenticity and next steps if personal info was compromised.
Taking proactive precautions is wise after a breach of this scope and scale to protect yourself from potential identity theft going forward.
Also Read: Welltok Data Breach Notice Scam or Legit? Uncovering The Truth
Recommended Article: How to Scare Text Scammers: Revenge Tactics and Copy-Paste Responses