Change Healthcare, the UnitedHealth-owned healthtech firm that misplaced greater than 100 million individuals’s delicate well being knowledge in a ransomware assault final 12 months, stated on Tuesday that the corporate has “considerably” accomplished notifying affected people concerning the large knowledge breach.
The February 2024 ransomware assault on Change Healthcare, one of many largest processors of affected person billing in the USA, resulted in months-long outages that disrupted care throughout the U.S. healthcare system. The info breach additionally turned the biggest recognized theft of medical knowledge in U.S. historical past. Change Healthcare paid the hackers a ransom with the purpose of stopping them from publishing any extra of the stolen knowledge, and in alternate, obtained a duplicate of the stolen knowledge to start notifying individuals whose data was taken.
In an replace to its knowledge breach discover on its web site on Tuesday, Change Healthcare stated it has “notified its impacted prospects” for whom the corporate has a postal deal with on file. The healthcare big stated it “might not have adequate addresses for all probably impacted people,” and that the web site discover was to “present prospects and people with details about the legal cyberattack.”
However in case you search the net for the Change Healthcare knowledge breach discover, you’re unlikely to search out the webpage in search engine outcomes.
TechCrunch’s assessment of the breach discover’s net web page supply code reveals Change Healthcare included hidden “noindex” code on the discover, which tells search engines like google and yahoo to disregard the net web page, making it harder for anybody looking the net for the discover to search out it in search outcomes. Change Healthcare had been together with the “noindex” code on its knowledge breach discover since not less than November 20, 2024.
It’s unclear why Change Healthcare hid the web page from search engines like google and yahoo. UnitedHealth spokesperson Tyler Mason didn’t touch upon the rationale why Change Healthcare included the code to cover the info breach discover. When requested, the spokesperson was unable to supply a particular variety of people that Change Healthcare had notified of the breach past the estimated 100 million quantity shared with the U.S. authorities’s well being division in October 2024.
A spokesperson for the Division of Well being and Human Companies’ Workplace for Civil Rights, which oversees federal investigations of knowledge breaches involving protected well being data, didn’t reply to a request for touch upon the matter.
Change Healthcare has been criticized for being sluggish to inform affected people of the breach — the corporate solely began to take action 4 months after it had acquired a duplicate of the stolen information. The delay in public disclosure prompted a number of U.S. states, together with California, Massachusetts, Nebraska and New Hampshire, to intervene by notifying residents to remain alert to id theft and fraud following the info breach.
In December 2024, Nebraska introduced authorized motion in opposition to Change Healthcare for a string of safety failings that led to the breach. The state’s legal professional common, Mike Hilgers, stated Change Healthcare’s lack of satisfactory discover to affected people left the state’s residents “extra susceptible to exploitation of the delicate private monetary, well being, and figuring out data.”