Change Healthcare, the health tech company owned by United Health that lost sensitive health data of more than 100 million people in a ransomware attack last year, said Tuesday that it has not provided “substantive notice” to affected individuals about the massive data breach. announced that it had been completed.
A February 2024 ransomware attack on Change Healthcare, one of the largest patient claims processing companies in the United States, caused a months-long outage and disrupted healthcare across the U.S. healthcare system. The data breach is known as the largest theft of medical data in U.S. history. Change Healthcare paid the hackers a ransom to prevent them from releasing any more stolen data, in exchange for obtaining copies of the stolen data and began notifying people whose information was stolen.
In an update to its data breach notification posted on its website Tuesday, Change Healthcare said it has “notified affected customers” whose addresses it has on file. The healthcare giant said it “may not have enough addresses for all potentially affected individuals,” and a notice on its website “provides customers and individuals with information about criminal cyber attacks.” The aim is to provide the following.
However, if you search for Change Healthcare's data breach notification on the web, it is highly unlikely that you will find the web page in search engine results.
A TechCrunch review of the source code of the infringement notification web page revealed that Change Healthcare had included hidden “noindex” code in the notification. This instructs search engines to ignore the web page, resulting in people searching for the notification on the web having a harder time finding that notification in a search. Change Healthcare has included a “noindex” code in its data breach notifications since at least November 20, 2024.
It's unclear why Change Healthcare hid this page from search engines. UnitedHealth spokesman Tyler Mason would not comment on why Change Healthcare included code to hide data breach notifications. When asked, a spokesperson could not provide a specific number of people Change Healthcare has notified of a breach, which exceeds the estimated 100 million people shared with the U.S. Department of Health Services in October 2024.
A spokesperson for the Department of Health and Human Services' Office of Civil Rights, which oversees federal investigations into data breaches involving protected health information, did not respond to requests for comment on the matter.
Change Healthcare has been criticized for being slow to notify affected individuals of the breach. The company began notifying users four months after receiving copies of the stolen files. Delays in releasing the information prompted several U.S. states, including California, Massachusetts, Nebraska and New Hampshire, to intervene by notifying residents to be wary of identity theft and fraud following data breaches.
In December 2024, the state of Nebraska filed a lawsuit against Change Healthcare, citing a series of security flaws that led to the breach. State Attorney General Mike Hilgers said Change Healthcare failed to properly notify affected individuals, leaving the state's citizens vulnerable to having their “sensitive personal financial, health, and personal information misused.” It's getting easier,” he said.