Some state AGs warn of 'unprecedented' health care data breach that could affect one-third of Americans

Change Healthcare experienced a data breach in February 2024.

Attorneys general in at least two states are warning this week of an "unprecedented" health care data breach that they say may affect up to one-third of all Americans.

Change Healthcare, a health payment company owned by UnitedHealth Group, said it experienced a cyberattack in February 2024, potentially exposing millions of Americans' sensitive health information.

Typically, when data breaches occur, consumers receive individualized letters if their information was impacted. However, attorneys general in Massachusetts and New Hampshire say residents in their respective states have yet to receive individual notices from Change Healthcare and are urging them to take steps if they believe their data was part of the breach.

"This data breach is deeply concerning," New Hampshire Attorney General John Formella said in a statement. "Thousands of health care providers, pharmacies and insurers rely on Change Healthcare's services, making the exposure of sensitive health and personal data to cybercriminals a significant threat to public trust and security. Despite the magnitude of this breach, the delay in notifying affected individuals is unacceptable."

ABC News has reached out to Change Healthcare.

Formella said he and several counterparts in other states are calling on UnitedHealth Group "to take swift and meaningful action to protect those impacted and prevent future breaches."

In a notice posted on its website, Change Healthcare said it could not confirm which data has been affected but said it may have involved information including names, addresses, dates of birth, phone numbers, Social Security numbers, health insurance information, medical record numbers and billing information.

Change Healthcare publicly confirmed In April that the data breach could "could cover a substantial proportion of people in America," which was later confirmed to be up to one-third of all Americans.

The company said it began providing notice to customers whose data was involved in the cyberattack on June 20 -- nearly four months after the data breach -- and plans to mail written letters to affected individuals starting in late July.

"Given the delay between the data breach and notification to those impacted, the Massachusetts Attorney General's Office is publicizing not just the breach, but also resources, including the offer that Change Healthcare has provided to the public," according to a statement Tuesday from the office of Massachusetts Attorney General Andrea Campbell.

Change Healthcare is providing Massachusetts and New Hampshire residents who believe they may have been impacted free credit monitoring and identity theft protections for two years, according to Formella and Campbell.

"Since Change Healthcare has not yet provided notice to individuals and the impact is very significant, the safest course of action is for everyone to assume that their information has been involved," Formella's office wrote in a statement.