Change Healthcare is starting to notify hospitals, insurers and other customers that they may have had patient information exposed in a massive cyberattack.
The company also said Thursday that it expects to begin notifying individuals or patients in late July.
Change Healthcare, a subsidiary of health care giant UnitedHealth Group, provides technology used to submit and process billions of insurance claims a year. Hackers gained access in February to its system and unleashed a ransomware attack that encrypted and froze large parts of it.
The attack triggered a disruption of payment and claims processing around the country, stressing doctor’s offices and health care systems by interfering with their ability to file claims and get paid.
According to the Florida Hospital Association, the state has over 100 hospitals that directly contract with Change Healthcare.
Change said names, addresses, health insurance information and personal information like Social Security numbers may have been exposed in the attack. The company is still investigating.
It said Thursday that it has reviewed more than 90% of impacted files and has seen no signs that doctors’ charts or full medical histories were taken.
Earlier in the week, the Centers for Medicare & Medicaid Services announced it will soon end a program providing advance payments to Medicare providers and suppliers affected by the cyberattack.
The program, which began in March to ease providers's cash flow, will close July 12 and CMS will no longer accept applications.
Providers are now successfully billing Medicare, the agency said.
“Our efforts helped minimize the disruptive fallout from this incident, and we will remain vigilant to be ready to address future events.” CMS Administrator Chiquita Brooks-LaSure said in a statement.
Payments were issued to over 4,200 Medicare Part A providers, such as hospitals, totaling more than $2.55 billion, according to CMS. More than 4,700 payments totaling more than $717 million were issued to Part B suppliers, including doctors, nonphysician practitioners and equipment suppliers.
CMS has recovered over 96% of the advanced payments, the agency said.
After the cyberattack, UnitedHealth paid a $22 million ransom in bitcoin, CEO Andrew Witty has said.
Witty said during congressional hearings last month that all of the company’s core systems, including claims payment and pharmacy processing, were functional.
The company has been offering to pay for two years of credit monitoring and identity theft protection for people worried that their information may have been exposed in the attack.
Health News Florida's Rick Mayer contributed to this report.
