Skip to main content
ThreatPhishing & impersonation

Fake UnitedHealth Group / Optum / Change Healthcare breach notification phishing — "your records may have been affected by the Feb 2024 Change Healthcare ransomware attack — enroll in free credit monitoring within 30 days" from non-official sender harvesting SSN, Medicare ID, insurance IDs, and banking details for identity fraud

change-healthcare-breach-notification-phish

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

Fake UnitedHealth Group / Optum / Change Healthcare breach notification phishing from a non-official sender. The Feb 2024 ALPHV/BlackCat ransomware attack on Change Healthcare — the largest healthcare data breach in US history at ~190M affected individuals (~57% of the US population) — created a massive long-lived phishing surface. Attackers impersonate UHG, Optum, or Change Healthcare with fake "Your healthcare records may have been exposed in the Change Healthcare breach — enroll in free credit monitoring within 30 days" emails. The real Change Healthcare breach enrollment uses postal mail + an enrollment code (never an inbound email link requesting personal information). The signal fires when: (1) body references Change Healthcare, UHG, Optum, or UnitedHealthcare brand AND (2) breach/ransomware/data exposure language is present AND (3) enrollment/monitoring/claim hook is present AND (4) sender is NOT changehealthcare.com, optum.com, unitedhealthgroup.com, or official government breach-response domains AND (5) no List-Unsubscribe or In-Reply-To. Source: GC1 R15 council #2; FBI IC3 PSA on healthcare breach impersonation 2025; FTC Change Healthcare advisory.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started