HackWatch

Breach response guide

CONFIRMEDHigh risk

Analysis and recovery steps: Change Healthcare data breach

This page is built for people searching whether the Change Healthcare incident exposed their data, what to monitor next and how to combine breach response with fraud and identity-protection steps.

This page is built to answer the core user questions after a high-profile breach: what happened, what data may have been exposed, and what to do right now to reduce phishing, fraud, account-takeover and identity-theft risk.

Reported impact

About 100 million affected individuals reported by the company

Incident date

2024-02-21

Exposed data types

Insurance and billing data, Medical or claims-related records for some affected individuals, Identifiers used in healthcare transactions

Best next step

Check whether your email appears in known breach disclosures and move into recovery if phishing starts.

What happened

Change Healthcare disclosed a major cyberattack that disrupted healthcare operations and later reported very large-scale data exposure affecting patients, providers and transaction partners.

For users, the practical response goes beyond one portal login. Healthcare and billing exposure can lead to identity abuse, payment fraud, insurance scams and targeted phishing that references real treatment or provider details.

What to do now if you may be affected

Step 1

Watch for phishing or fraud that references claims, providers, billing notices or healthcare-payment issues.

Step 2

Secure the email account and phone number used for patient portals, insurance and payment recovery.

Step 3

Document notices, statements and provider communication connected to the incident in one timeline.

Step 4

Use identity-theft and breach workflows if new accounts, billing anomalies or fake support calls begin after the breach.

Check breach exposureOpen identity-theft planner

Frequently asked questions

Why does a healthcare breach create long-tail fraud risk?

Because healthcare and billing data can support convincing phishing, insurance fraud and identity-theft attempts long after the initial disruption headlines fade.

What should I watch for after this kind of incident?

Focus on phishing emails, billing calls, patient-portal resets, insurance notices and any fraud that uses real healthcare context to build trust.

Official sources and supporting reporting

UnitedHealth / Change Healthcare updates

Source used to support the timeline, impact framing or recovery guidance for the Change Healthcare incident.

Open source

HHS OCR public reporting context

Source used to support the timeline, impact framing or recovery guidance for the Change Healthcare incident.

Open source