After Change Healthcare, a technology company owned by UnitedHealth Group, reported a giant ransomware attack, you may have received a letter by mail letting you know your data has been compromised.
But you get a lot of random stuff in the mail, too. How can you determine if the letter is legitimate, and what will it take to protect your accounts and identity?
Large-scale data breaches happen so frequently that it can be tough to keep track. In the first half of 2024, cyberattacks increased 14 percent compared with the same period last year, according to the nonprofit Identity Theft Resource Center (ITRC). In March, consumers learned a hack at a third-party company exposed Amex account information. A few weeks later, data from millions of AT&T accounts popped up online. And in August, a data broker lost control of a massive dataset that contained Social Security numbers.
Some tech critics and cybersecurity experts accuse companies of playing fast and loose with people’s data — collecting too much and failing to properly secure it. Some companies even make a business model out of collecting and combining giant datasets, including profiles of individual people. Each data breach, meanwhile, puts victims at risk of identity theft, which can be a costly and frustrating problem to untangle.
Change Healthcare says it noticed signs of ransomware in its system in February and notified law enforcement. In May, its CEO Andrew Witty testified to Congress that the breach exposed sensitive data for what could be a “substantial proportion of people in America,” including health conditions and treatment, payment information, insurance information and Social Security numbers. The Office for Civil Rights called the scale of the attack “unprecedented” and opened an investigation into Change Healthcare as well as some of its business associates that are also governed by HIPAA, our federal health privacy law.
Change Healthcare says it started alerting affected people by mail in late July, but the notifications come on a rolling basis. Its support line funnels callers to sign up free credit monitoring through third-party company IDX.
Change Healthcare declined to say how many people have been impacted, when it will share details on individuals’ exposed data and why it chose IDX for its free credit-monitoring offer.
Here, signing up free credit monitoring isn’t the best use of your time. Instead, take these three steps if you’re worried you’ve been affected by a data breach.
1. Verify the breach notice, especially if it came through email or text
Most breach scams come through phishing emails and not paper letters, ITRC chief operating officer James Lee said, but high-profile breaches tend to be the ones that draw fraudsters.
Before you launch into crisis mode, always look up the relevant breach. Some states maintain a directory of data breaches you can access online. Otherwise, call the company in question directly — and don’t use any sponsored Google results to find the phone number, as scammers can set up fraudulent websites and support lines.
In this case, I searched the internet for “Change Healthcare data breach,” and among the first results were statements from UnitedHealth Group and the Department of Health and Human Services confirming the attack. Look for official options such as .gov sites and the affected company’s website. (Always confirm the URL of the affected company’s site with a fresh search and avoid sponsored results.)
The ITRC has a tool where you can search for confirmed breaches by company name. And if you’re still not sure, check a forum like Reddit — have other people received a notification? Were they able to confirm it’s real?
2. Watch your accounts for fishy activity
There are at least two ways a criminal could use your breached data: Breaking into your accounts and spinning up new ones in your name.
Change the passwords to your most important accounts, like banking and health care. Keep a close eye on statements from your health-care providers, insurer, bank, credit cards, credit report and tax returns. If someone makes a charge, opens a new account or applies for benefits, this is where you’d catch it. Report any fraud to the Federal Trade Commission and freeze your credit (I explain how in step 3). You might need to close some accounts or report identity theft to the police.
Some companies offer credit or identity theft monitoring to watch for signs of fraudulent lines of credit in your name. These aren’t worth the subscription cost, my colleague Shira Ovide wrote, and even though Change Healthcare is offering credit monitoring pro bono, its recommended service, IDX, has a less-than-ideal privacy policy, with carve-outs that leave room for the company to use your data for marketing or share it with business partners.
3. Set up a fraud alert or freeze your credit
A fraud alert is a one-year flag on your credit profile that helps creditors take extra caution when someone tries to open a new line of credit in your name. You can set one up by calling any of the three major credit reporting agencies — TransUnion, Equifax and Experian — though I recommend activating the alert through their websites to avoid long wait times.
Alternatively, you can freeze your credit, which blocks creditors from checking your credit at all. This you need to turn on with each credit reporting agency individually through their phone lines or websites.
Both are free and don’t affect your credit score, but a freeze is more secure because you don’t have to remember to renew it.