Change Healthcare plans to begin contacting patients whose data was breached during the February ransomware attack in late July.
According to a statement posted on Change's website, the company is still reviewing data to identify individuals affected by the breach and will begin mailing written letters when the review is complete. Change noted it may not have the addresses for all individuals impacted.
Change Healthcare took its computer system offline when it identified suspicious activity and worked with law enforcement officials to investigate the attack. In collaboration with cybersecurity and data analysis experts, the company found a "substantial quantity of data" was stolen from its system, and it was able to exfiltrate the files. The stolen data covered a "substantial portion of people in America," according to the company's website.
In testimony to Congress, UnitedHealth Group CEO Andrew Witty said around one-third of Americans were affected by the breach.
Change already began notifying certain customers with affected members and provided notices to them. The Boston Herald reported Massachusetts and New Hampshire attorney generals are preparing to notify affected individuals in their states and provide resources for them.
"Despite the magnitude of this breach, the delay in notifying affected individuals is unacceptable," New Hampshire Attorney General John Formella told the Boston Herald. "Alongside my counterparts from across the country, I have called upon UnitedHealth Group to take swift and meaningful action to protect those impacted and prevent future breaches."
Change is offering individuals affected by the breach free credit monitoring and identity theft protection for 24 months.