Change Healthcare, the UnitedHealth-owned health technology company that lost more than 100 million sensitive health data in a ransomware attack last year, said Tuesday that the company has “substantially” completed notifying affected individuals of the massive data breach.
The February 2024 ransomware attack on Change Healthcare, one of the largest patient billing processors in the United States, led to months of outages that disrupted care throughout the US healthcare system. The data breach also became the largest known theft of medical data in US history. Change Healthcare paid the hackers a ransom to prevent them from publishing more of the stolen data, and in return, received a copy of the stolen data to begin notifying the people whose information was taken.
In an update of data breach notification on its website On Tuesday, Change Healthcare said it “has notified its affected customers” for whom the company has a mailing address on file. The healthcare giant said it “may not have sufficient addresses for all potentially affected individuals” and that the website alert was to “provide customers and individuals with information about the criminal cyberattack.”
However, if you search the web for the Change Health data breach notification, you are unlikely to find the website in search engine results.
TechCrunch’s review of the source code of the breach notification webpage reveals that Change Healthcare included hidden “noindex” code in the notification, which tells search engines to ignore the webpage, making it harder for anyone searching for the notification on the web to find it in search results. Change Healthcare had included the code “noindex” in the data breach notification since then at least 20 November 2024.
It is unclear why Change Healthcare hid the page from search engines. UnitedHealth spokesman Tyler Mason would not comment on why Change Healthcare included the code to hide the data breach notification. When asked, the spokesperson was unable to provide a specific number of people Change Healthcare had notified of the breach beyond the estimated number of 100 million shared with the US government’s Department of Health in October 2024.
A spokesman for the Department of Health and Human Services’ Office for Civil Rights, which oversees federal investigations into data breaches involving protected health information, did not respond to a request for comment on the matter.
Change Healthcare has been criticized for being slow to notify affected people of the breach – the company only started doing so four months after receiving a copy of the stolen files. The delay in public disclosure prompted several US states, including California, Massachusetts, Nebraska and New Hampshireto intervene by alerting residents to remain vigilant for identity theft and fraud following the data breach.
In December 2024, Nebraska filed a lawsuit against Change Healthcare for a series of security failures that led to the breach. State Attorney General Mike Hilgers said Change Healthcare’s lack of adequate disclosure to affected individuals made the state’s citizens “more vulnerable to the exploitation of sensitive personal financial, health and identifying information.”
Corrected the link to the California notice in the eighth paragraph.
