Change Healthcare, the UnitedHealth-owned healthtech company that lost more than 100 million people’s sensitive health data in a ransomware attack last year, said on Tuesday that the company has “substantially” completed notifying affected individuals about the massive data breach.
The February 2024 ransomware attack on Change Healthcare, one of the biggest processors of patient billing in the United States, resulted in months-long outages that disrupted care across the U.S. healthcare system. The data breach also became the largest known theft of medical data in U.S. history. Change Healthcare paid the hackers a ransom with the aim of preventing them from publishing any more of the stolen data, and in exchange, obtained a copy of the stolen data to begin notifying people whose information was taken.
In an update to its data breach notice on its website on Tuesday, Change Healthcare said it has “notified its impacted customers” for whom the company has a postal address on file. The healthcare giant said it “may not have sufficient addresses for all potentially impacted individuals,” and that the website notice was to “provide customers and individuals with information about the criminal cyberattack.”
But if you search the web for the Change Healthcare data breach notice, you’re unlikely to find the webpage in search engine results.
TechCrunch’s review of the breach notice’s web page source code reveals Change Healthcare included hidden “noindex” code on the notice, which tells search engines to ignore the web page, making it more difficult for anyone searching the web for the notice to find it in search results. Change Healthcare had been including the “noindex” code on its data breach notice since at least November 20, 2024.
It’s unclear why Change Healthcare hid the page from search engines. UnitedHealth spokesperson Tyler Mason did not comment on the reason why Change Healthcare included the code to hide the data breach notice. When asked, the spokesperson was unable to provide a specific number of individuals that Change Healthcare had notified of the breach beyond the estimated 100 million number shared with the U.S. government’s health department in October 2024.
A spokesperson for the Department of Health and Human Services’ Office for Civil Rights, which oversees federal investigations of data breaches involving protected health information, did not respond to a request for comment on the matter.
Change Healthcare has been criticized for being slow to notify affected individuals of the breach — the company only started to do so four months after it had received a copy of the stolen files. The delay in public disclosure prompted several U.S. states, including California, Massachusetts, Nebraska and New Hampshire, to intervene by notifying residents to stay alert to identity theft and fraud following the data breach.
In December 2024, Nebraska brought legal action against Change Healthcare for a string of security failings that led to the breach. The state’s attorney general, Mike Hilgers, said Change Healthcare’s lack of adequate notice to affected individuals left the state’s citizens “more vulnerable to exploitation of the sensitive personal financial, health, and identifying information.”
