Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Change Healthcare, the healthcare company of UnitedHealth that has lost more than 100 million people’s sensitive health data in a ransomware attack last year, said on Tuesday that the company has “substantially” completed notifying affected individuals about the massive data breach.
The February 2024 ransomware attack on Change Healthcare, one of the largest patient billing processors in the United States, resulted in months-long outages that disrupted care throughout the U.S. healthcare system. Data breach has also become the largest known theft of medical data in US history. Change Healthcare paid the hackers a ransom with the aim of prevent them from publishing more of the stolen data, and in exchange, obtained a copy of the stolen data to begin notifying the people that the information was taken.
In an update of his data breach notice on their website On Tuesday, Change Healthcare said it has “notified its affected customers” for whom the company has a mailing address on file. The healthcare giant said it “may not have enough addresses for all potentially affected individuals,” and that the website’s warning was to “provide customers and individuals with information about the criminal cyberattack “.
But if you search the web for the Cambia Healthcare data breach notice, you are unlikely to find the web page in the search engine results.
TechCrunch’s review of the source code of the breach notice web page reveals Change Healthcare included hidden “noindex” code on the notice, which tells search engines to ignore the web page, making it harder for anyone who searches the web for notice to find in the search. results. Change Healthcare has included the code “noindex” in its data breach notice since then at least on November 20, 2024.
It is unclear why Change Healthcare has hidden the page from search engines. UnitedHealth spokesman Tyler Mason would not comment on the reason why Change Healthcare included the code to hide the data breach notice. When asked, the spokesperson was unable to provide a specific number of individuals that Change Healthcare had notified of the breach beyond the estimated number of 100 million shared with the US government’s health department in October 2024.
A spokesman for the Health and Human Services Department’s Office for Civil Rights, which oversees federal investigations of data breaches involving protected health information, did not respond to a request for comment on the matter.
Change Healthcare has been criticized for being slow to notify individuals affected by the breach – the company began doing so four months after receiving a copy of the stolen files. The delay in public disclosure prompted several US states, including California, Massachusetts, Nebraska and New Hampshireto intervene by warning residents to be aware of identity theft and fraud following a data breach.
In December 2024, Nebraska brought legal action against Change Healthcare for a series of security failures that led to the breach. State Attorney General Mike Hilgers said Change Healthcare’s lack of adequate notice to affected individuals left the state’s citizens “more vulnerable to the exploitation of financial, health and of sensitive personal identification”.
