On Thursday, June 20, Change Healthcare started sending out breach notifications to affected customers. In addition, they have updated the Change Healthcare website with a HIPAA Substitute Notice. It is important to note that the Department of Health and Human Services said on May 31 that Change can be the notifying entity, however, per the National Association of Community Health Centers (NACHC), it’s on the covered entity (health center) to reach out to Change to delegate the tasks of providing the required HIPAA breach notifications on their behalf. Change plans to start sending actual letters to the affected individuals themselves in late July, though the company noted it may not have addresses for everyone. Exposed data could include contact information, health insurance details, medical information like diagnoses and test results, billing and payment information and personal details like Social Security numbers or ID numbers