Change Healthcare, the UnitedHealth-owned health technology company that lost more than 100 million sensitive health records in a ransomware attack last year, said Tuesday that the company has “substantially” completed notifying affected individuals of the breach massive data.
The February 2024 ransomware attack on Change Healthcare, one of the largest patient billing processors in the United States, resulted in months of outages that disrupted care throughout the U.S. healthcare system. The data breach also became the largest known theft of medical records in US history. Change Healthcare paid the hackers a reward in order to prevent them from releasing any more stolen data, and in return, received a copy of the stolen data to begin notifying people whose information was taken.
In an update to the data breach notice on its website on Tuesday, Change Healthcare said it “has notified its affected customers” for whom the company has a mailing address on file. The healthcare giant said it “may not have enough addresses for all potentially affected individuals” and that the website notice was to “provide customers and individuals with information about the criminal cyberattack.”
But if you search the web for the Change Healthcare data breach notice, you’re unlikely to find the website in search engine results.
TechCrunch’s review of the source code of the breach notification website reveals Change Healthcare included hidden “noindex” code in the notification, which tells search engines to ignore the website, making it harder for anyone that searches the web for notification to find it in search. the results. Change Healthcare had included the code “noindex” in its data breach notification since at least November 20, 2024.
It is unclear why Change Healthcare hid the site from search engines. UnitedHealth spokesman Tyler Mason would not comment on why Change Healthcare included the code to hide the data breach notification. When asked, the spokesperson was unable to provide a specific number of individuals that Change Healthcare had notified of the breach beyond the estimated number of 100 million shared with the US government’s health department in October 2024.
A spokesman for the Department of Health and Human Services Office for Civil Rights, which oversees federal investigations of data breaches involving protected health information, did not respond to a request for comment on the matter.
Change Healthcare has been criticized for being slow to notify affected individuals of the breach – the company began doing so just four months after receiving a copy of the stolen files. The delay in public disclosure prompted several US states, including California, Massachusetts, Nebraska and New Hampshire, to step in by notifying residents to be vigilant against identity theft and fraud following a data breach.
In December 2024, Nebraska filed a lawsuit against Change Healthcare for a series of security failures that led to the breach. State Attorney General Mike Hilgers said Change Healthcare’s lack of adequate notification to affected individuals left the state’s citizens “more vulnerable to the exploitation of sensitive financial, health and personally identifiable information.”
