July 3, 2024
Dear Loyola Community,
On June 21, 2024, Aetna, the University’s health insurance plan administrator, notified the University about a data security incident experienced by its vendor, Change Healthcare (“CHC”). CHC is a widely used provider of health care billing and data systems. Although the University does not directly contract with CHC, CHC is an Aetna vendor.
WHAT HAPPENED
On February 21, 2024, CHC disclosed to Aetna that a data security incident (the “Incident”) had occurred in which an unauthorized actor gained access to CHC’s systems and certain personal and health care information. On June 21, 2024, Aetna received notice from CHC that, as a result of the Incident, some Aetna member protected health information was compromised. The same day, Aetna informed the University of such notice. In its notice to Aetna, CHC reports that its forensic review of the Incident is ongoing. CHC has not yet identified the specific plan sponsor information or the identities of affected individuals, including any University persons and family members who may have been affected.
WHAT INFORMATION MAY HAVE BEEN DISCLOSED BECAUSE OF THE INCIDENT?
In a preliminary notice issued by CHC, CHC states that the information involved for affected individuals may have included one or more of the following:
- Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
- Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balances due); and/or
- Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, passport numbers, names, addresses, dates of birth, phone numbers, and emails.
WHAT IS CHC DOING FOR POTENTIALLY IMPACTED INDIVIDUALS?
CHC will mail a notice to all impacted individuals for whom CHC has a sufficient mailing addresses and provide all impacted individuals with free credit monitoring and identity theft protection for two years. CHC has published a website notice with additional information about their notification plans which may be helpful to you. Aetna has advised the University that CHC will send notices on a rolling basis beginning near the end of July.
WHAT IS CHC DOING IN RESPONSE TO THE INCIDENT?
CHC’s website notice describes CHC’s response to the Incident. CHC has also established a dedicated call center to offer additional resources and information to people who believe they may have been affected by this incident. Individuals can visit changecybersupport.com for more information and details on these resources or call the toll-free call center, which also includes trained clinicians to provide support services. The call center’s number is: 1-866-262-5342, and is available Monday through Friday, 8 a.m. to 8 p.m. Central Time.
WHAT IS THE UNIVERSITY DOING?
Since receiving notice of the Incident, the University has been in contact with Aetna to confirm the next steps that Aetna and CHC will take to address this situation. The University takes the privacy and security of all members of our campus community seriously and will continue to actively monitor the situation. Even in advance of any written notice from CHC that your personal information may have been affected by this Incident, Information Technology Services (“ITS”) recommends that you closely monitor your financial accounts for suspicious activity. ITS will continue to update this page with any updates as needed.