WSU students who have used the Cougar Health Services Pharmacy on the Pullman campus received an email on July 17 notifying them that their personal information may have been exposed in a cyberattack against Change Healthcare, a third-party service provider.

WSU contracts Change Healthcare to provide electronic pharmacy services, according to an email from Sunday Henry, WSU medical services director. Change Healthcare cannot confirm exactly what data was affected for each person, but the data that may have been accessed includes contact information, health and health insurance information, billing claims and payment information and other personal information such as Social Security numbers or state ID numbers.

“On February 21, 2024, Change Healthcare became aware of a deployment of ransomware in its computer system by a cybercriminal,” Henry said. “Change Healthcare retained leading cybersecurity and data analysis experts to assist in the investigation, which began on February 21, 2024. On March 7, 2024, Change Healthcare confirmed that a substantial quantity of data had been exfiltrated from its environment between February 17, 2024, and February 20.”

On March 13, Change Healthcare obtained a dataset of exfiltrated files that was safe to investigate, Henry said. On April 22, Change Healthcare confirmed the impacted data could cover a substantial proportion of the US population. On June 20, Change Healthcare began providing notice to its customers, although WSU has not been notified of its list of patients whose data was involved.

“WSU took important steps within its control to minimize the chances of your data being misused as a result of this incident. The connection to Change Healthcare was disabled,” she said. “WSU CHS Pharmacy has been communicating and monitoring Change Healthcare’s communications regarding the steps they were taking in response to this incident including shutting down systems and [severing] connectivity to prevent further impact.”

WSU CHS Pharmacy is currently waiting to obtain a list of affected individuals from Change Healthcare, she said. People who are concerned about the security of their information should closely monitor their explanation of benefits statements for unusual activity and contact their healthcare provider if they believe something is incorrect. 

“If individuals notice any suspicious activity on bank or credit card statements or on tax returns, they should immediately contact their financial institution and/or credit card company or relevant agency,” Henry said. “If an individual believes they are the victim of a crime, they can contact local law enforcement authorities and file a police report.”

Individuals who are concerned if they have been impacted can also enroll in two years of complimentary credit monitoring and identity protection services. Those interested can access these services through the Change Healthcare website.

For more information, students are recommended to contact Joseph Santos, Cougar Health Services quality assurance and compliance coordinator, at [email protected] .